summaryrefslogtreecommitdiff
path: root/sshd.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-10-07 13:22:41 +0100
committerColin Watson <cjwatson@debian.org>2016-01-04 15:07:00 +0000
commitc538473bc1958b99bb26283752f287df5934045a (patch)
tree2a874070b15d57372b83509e95767d48b8dad4a1 /sshd.c
parent48424483cbf2232ba849038e02675b2db1ea3a88 (diff)
Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
Diffstat (limited to 'sshd.c')
-rw-r--r--sshd.c25
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index 839c2e02d..0e30e6e32 100644
--- a/sshd.c
+++ b/sshd.c
@@ -130,6 +130,13 @@
130#include <Security/AuthSession.h> 130#include <Security/AuthSession.h>
131#endif 131#endif
132 132
133#ifdef LIBWRAP
134#include <tcpd.h>
135#include <syslog.h>
136int allow_severity;
137int deny_severity;
138#endif /* LIBWRAP */
139
133#ifndef O_NOCTTY 140#ifndef O_NOCTTY
134#define O_NOCTTY 0 141#define O_NOCTTY 0
135#endif 142#endif
@@ -2145,6 +2152,24 @@ main(int ac, char **av)
2145#ifdef SSH_AUDIT_EVENTS 2152#ifdef SSH_AUDIT_EVENTS
2146 audit_connection_from(remote_ip, remote_port); 2153 audit_connection_from(remote_ip, remote_port);
2147#endif 2154#endif
2155#ifdef LIBWRAP
2156 allow_severity = options.log_facility|LOG_INFO;
2157 deny_severity = options.log_facility|LOG_WARNING;
2158 /* Check whether logins are denied from this host. */
2159 if (packet_connection_is_on_socket()) {
2160 struct request_info req;
2161
2162 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
2163 fromhost(&req);
2164
2165 if (!hosts_access(&req)) {
2166 debug("Connection refused by tcp wrapper");
2167 refuse(&req);
2168 /* NOTREACHED */
2169 fatal("libwrap refuse returns");
2170 }
2171 }
2172#endif /* LIBWRAP */
2148 2173
2149 /* Log the connection. */ 2174 /* Log the connection. */
2150 laddr = get_local_ipaddr(sock_in); 2175 laddr = get_local_ipaddr(sock_in);