Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2016-02-29 12:31:33 +0000
commit: 9496f70a8203592158275489519996476b2356af (patch)
tree: f0859d60d87717a800604739dc67e133cbcb1b4f /sshd.c
parent: 374db1757fc18bd6647539b80977e6907a2cecd4 (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index 5cd9129d0..d1dd711fc 100644
--- a/sshd.c
+++ b/sshd.c
@@ -129,6 +129,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 #ifndef O_NOCTTY
 #define O_NOCTTY        0
 #endif
@@ -2151,6 +2158,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (packet_connection_is_on_socket()) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        /* Log the connection. */
        laddr = get_local_ipaddr(sock_in);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2016-02-29 12:31:33 +0000
commit	9496f70a8203592158275489519996476b2356af (patch)
tree	f0859d60d87717a800604739dc67e133cbcb1b4f /sshd.c
parent	374db1757fc18bd6647539b80977e6907a2cecd4 (diff)

diff --git a/sshd.c b/sshd.c index 5cd9129d0..d1dd711fc 100644 --- a/sshd.c +++ b/sshd.c
@@ -129,6 +129,13 @@
129	#include <Security/AuthSession.h>	129	#include <Security/AuthSession.h>
130	#endif	130	#endif
131		131
		132	#ifdef LIBWRAP
		133	#include <tcpd.h>
		134	#include <syslog.h>
		135	int allow_severity;
		136	int deny_severity;
		137	#endif /* LIBWRAP */
		138
132	#ifndef O_NOCTTY	139	#ifndef O_NOCTTY
133	#define O_NOCTTY 0	140	#define O_NOCTTY 0
134	#endif	141	#endif
@@ -2151,6 +2158,24 @@ main(int ac, char **av)
2151	#ifdef SSH_AUDIT_EVENTS	2158	#ifdef SSH_AUDIT_EVENTS
2152	audit_connection_from(remote_ip, remote_port);	2159	audit_connection_from(remote_ip, remote_port);
2153	#endif	2160	#endif
		2161	#ifdef LIBWRAP
		2162	allow_severity = options.log_facility\|LOG_INFO;
		2163	deny_severity = options.log_facility\|LOG_WARNING;
		2164	/* Check whether logins are denied from this host. */
		2165	if (packet_connection_is_on_socket()) {
		2166	struct request_info req;
		2167
		2168	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2169	fromhost(&req);
		2170
		2171	if (!hosts_access(&req)) {
		2172	debug("Connection refused by tcp wrapper");
		2173	refuse(&req);
		2174	/* NOTREACHED */
		2175	fatal("libwrap refuse returns");
		2176	}
		2177	}
		2178	#endif /* LIBWRAP */
2154		2179
2155	/* Log the connection. */	2180	/* Log the connection. */
2156	laddr = get_local_ipaddr(sock_in);	2181	laddr = get_local_ipaddr(sock_in);