Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2015-08-19 17:09:55 +0100
commit: ace4bfab52b31a2833636a243ba150fdf0f48293 (patch)
tree: 5b6fc34d23d98e75196a515d35dd1dfeb9710db6 /sshd.c
parent: 5d3dc7ea4c96cab9483d5389a3b04163771fdee2 (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index 6b85e6c45..186ad5579 100644
--- a/sshd.c
+++ b/sshd.c
@@ -129,6 +129,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 #ifndef O_NOCTTY
 #define O_NOCTTY        0
 #endif
@@ -2141,6 +2148,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (packet_connection_is_on_socket()) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        /* Log the connection. */
        laddr = get_local_ipaddr(sock_in);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2015-08-19 17:09:55 +0100
commit	ace4bfab52b31a2833636a243ba150fdf0f48293 (patch)
tree	5b6fc34d23d98e75196a515d35dd1dfeb9710db6 /sshd.c
parent	5d3dc7ea4c96cab9483d5389a3b04163771fdee2 (diff)

diff --git a/sshd.c b/sshd.c index 6b85e6c45..186ad5579 100644 --- a/sshd.c +++ b/sshd.c
@@ -129,6 +129,13 @@
129	#include <Security/AuthSession.h>	129	#include <Security/AuthSession.h>
130	#endif	130	#endif
131		131
		132	#ifdef LIBWRAP
		133	#include <tcpd.h>
		134	#include <syslog.h>
		135	int allow_severity;
		136	int deny_severity;
		137	#endif /* LIBWRAP */
		138
132	#ifndef O_NOCTTY	139	#ifndef O_NOCTTY
133	#define O_NOCTTY 0	140	#define O_NOCTTY 0
134	#endif	141	#endif
@@ -2141,6 +2148,24 @@ main(int ac, char **av)
2141	#ifdef SSH_AUDIT_EVENTS	2148	#ifdef SSH_AUDIT_EVENTS
2142	audit_connection_from(remote_ip, remote_port);	2149	audit_connection_from(remote_ip, remote_port);
2143	#endif	2150	#endif
		2151	#ifdef LIBWRAP
		2152	allow_severity = options.log_facility\|LOG_INFO;
		2153	deny_severity = options.log_facility\|LOG_WARNING;
		2154	/* Check whether logins are denied from this host. */
		2155	if (packet_connection_is_on_socket()) {
		2156	struct request_info req;
		2157
		2158	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2159	fromhost(&req);
		2160
		2161	if (!hosts_access(&req)) {
		2162	debug("Connection refused by tcp wrapper");
		2163	refuse(&req);
		2164	/* NOTREACHED */
		2165	fatal("libwrap refuse returns");
		2166	}
		2167	}
		2168	#endif /* LIBWRAP */
2144		2169
2145	/* Log the connection. */	2170	/* Log the connection. */
2146	laddr = get_local_ipaddr(sock_in);	2171	laddr = get_local_ipaddr(sock_in);