Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2016-08-07 12:18:42 +0100
commit: c027de5eb3e6cb1718990841c2a9cbc89fd53151 (patch)
tree: dcbb7d53e5952bf02ef3dfe96dd0a184c8c307c2 /sshd.c
parent: eecddf8b72fcad83ccca43b1badb03782704f6b7 (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index ebb88c776..982e5455e 100644
--- a/sshd.c
+++ b/sshd.c
@@ -129,6 +129,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 #ifndef O_NOCTTY
 #define O_NOCTTY        0
 #endif
@@ -2207,6 +2214,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (packet_connection_is_on_socket()) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        /* Log the connection. */
        laddr = get_local_ipaddr(sock_in);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2016-08-07 12:18:42 +0100
commit	c027de5eb3e6cb1718990841c2a9cbc89fd53151 (patch)
tree	dcbb7d53e5952bf02ef3dfe96dd0a184c8c307c2 /sshd.c
parent	eecddf8b72fcad83ccca43b1badb03782704f6b7 (diff)

diff --git a/sshd.c b/sshd.c index ebb88c776..982e5455e 100644 --- a/sshd.c +++ b/sshd.c
@@ -129,6 +129,13 @@
129	#include <Security/AuthSession.h>	129	#include <Security/AuthSession.h>
130	#endif	130	#endif
131		131
		132	#ifdef LIBWRAP
		133	#include <tcpd.h>
		134	#include <syslog.h>
		135	int allow_severity;
		136	int deny_severity;
		137	#endif /* LIBWRAP */
		138
132	#ifndef O_NOCTTY	139	#ifndef O_NOCTTY
133	#define O_NOCTTY 0	140	#define O_NOCTTY 0
134	#endif	141	#endif
@@ -2207,6 +2214,24 @@ main(int ac, char **av)
2207	#ifdef SSH_AUDIT_EVENTS	2214	#ifdef SSH_AUDIT_EVENTS
2208	audit_connection_from(remote_ip, remote_port);	2215	audit_connection_from(remote_ip, remote_port);
2209	#endif	2216	#endif
		2217	#ifdef LIBWRAP
		2218	allow_severity = options.log_facility\|LOG_INFO;
		2219	deny_severity = options.log_facility\|LOG_WARNING;
		2220	/* Check whether logins are denied from this host. */
		2221	if (packet_connection_is_on_socket()) {
		2222	struct request_info req;
		2223
		2224	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2225	fromhost(&req);
		2226
		2227	if (!hosts_access(&req)) {
		2228	debug("Connection refused by tcp wrapper");
		2229	refuse(&req);
		2230	/* NOTREACHED */
		2231	fatal("libwrap refuse returns");
		2232	}
		2233	}
		2234	#endif /* LIBWRAP */
2210		2235
2211	/* Log the connection. */	2236	/* Log the connection. */
2212	laddr = get_local_ipaddr(sock_in);	2237	laddr = get_local_ipaddr(sock_in);