Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2016-01-14 15:07:16 +0000
commit: f1fe58341ea22a6f07e5e1de79aa0385c0ee0c6a (patch)
tree: ca8af2183f8b3c5fc96e79611c3857f712f0a3fc /sshd.c
parent: 6a0a4b2f79889c9b0d5e2478a6ee5f51be38dcc9 (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index d659a6892..9275e0b7a 100644
--- a/sshd.c
+++ b/sshd.c
@@ -130,6 +130,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 #ifndef O_NOCTTY
 #define O_NOCTTY        0
 #endif
@@ -2151,6 +2158,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (packet_connection_is_on_socket()) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        /* Log the connection. */
        laddr = get_local_ipaddr(sock_in);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2016-01-14 15:07:16 +0000
commit	f1fe58341ea22a6f07e5e1de79aa0385c0ee0c6a (patch)
tree	ca8af2183f8b3c5fc96e79611c3857f712f0a3fc /sshd.c
parent	6a0a4b2f79889c9b0d5e2478a6ee5f51be38dcc9 (diff)

diff --git a/sshd.c b/sshd.c index d659a6892..9275e0b7a 100644 --- a/sshd.c +++ b/sshd.c
@@ -130,6 +130,13 @@
130	#include <Security/AuthSession.h>	130	#include <Security/AuthSession.h>
131	#endif	131	#endif
132		132
		133	#ifdef LIBWRAP
		134	#include <tcpd.h>
		135	#include <syslog.h>
		136	int allow_severity;
		137	int deny_severity;
		138	#endif /* LIBWRAP */
		139
133	#ifndef O_NOCTTY	140	#ifndef O_NOCTTY
134	#define O_NOCTTY 0	141	#define O_NOCTTY 0
135	#endif	142	#endif
@@ -2151,6 +2158,24 @@ main(int ac, char **av)
2151	#ifdef SSH_AUDIT_EVENTS	2158	#ifdef SSH_AUDIT_EVENTS
2152	audit_connection_from(remote_ip, remote_port);	2159	audit_connection_from(remote_ip, remote_port);
2153	#endif	2160	#endif
		2161	#ifdef LIBWRAP
		2162	allow_severity = options.log_facility\|LOG_INFO;
		2163	deny_severity = options.log_facility\|LOG_WARNING;
		2164	/* Check whether logins are denied from this host. */
		2165	if (packet_connection_is_on_socket()) {
		2166	struct request_info req;
		2167
		2168	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2169	fromhost(&req);
		2170
		2171	if (!hosts_access(&req)) {
		2172	debug("Connection refused by tcp wrapper");
		2173	refuse(&req);
		2174	/* NOTREACHED */
		2175	fatal("libwrap refuse returns");
		2176	}
		2177	}
		2178	#endif /* LIBWRAP */
2154		2179
2155	/* Log the connection. */	2180	/* Log the connection. */
2156	laddr = get_local_ipaddr(sock_in);	2181	laddr = get_local_ipaddr(sock_in);