summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--configure.ac57
-rw-r--r--sshd.87
-rw-r--r--sshd.c25
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 1c2512314..e894db9fc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1521,6 +1521,62 @@ else
1521 AC_MSG_RESULT([no]) 1521 AC_MSG_RESULT([no])
1522fi 1522fi
1523 1523
1524# Check whether user wants TCP wrappers support
1525TCPW_MSG="no"
1526AC_ARG_WITH([tcp-wrappers],
1527 [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
1528 [
1529 if test "x$withval" != "xno" ; then
1530 saved_LIBS="$LIBS"
1531 saved_LDFLAGS="$LDFLAGS"
1532 saved_CPPFLAGS="$CPPFLAGS"
1533 if test -n "${withval}" && \
1534 test "x${withval}" != "xyes"; then
1535 if test -d "${withval}/lib"; then
1536 if test -n "${need_dash_r}"; then
1537 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1538 else
1539 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1540 fi
1541 else
1542 if test -n "${need_dash_r}"; then
1543 LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1544 else
1545 LDFLAGS="-L${withval} ${LDFLAGS}"
1546 fi
1547 fi
1548 if test -d "${withval}/include"; then
1549 CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1550 else
1551 CPPFLAGS="-I${withval} ${CPPFLAGS}"
1552 fi
1553 fi
1554 LIBS="-lwrap $LIBS"
1555 AC_MSG_CHECKING([for libwrap])
1556 AC_LINK_IFELSE([AC_LANG_PROGRAM([[
1557#include <sys/types.h>
1558#include <sys/socket.h>
1559#include <netinet/in.h>
1560#include <tcpd.h>
1561int deny_severity = 0, allow_severity = 0;
1562 ]], [[
1563 hosts_access(0);
1564 ]])], [
1565 AC_MSG_RESULT([yes])
1566 AC_DEFINE([LIBWRAP], [1],
1567 [Define if you want
1568 TCP Wrappers support])
1569 SSHDLIBS="$SSHDLIBS -lwrap"
1570 TCPW_MSG="yes"
1571 ], [
1572 AC_MSG_ERROR([*** libwrap missing])
1573
1574 ])
1575 LIBS="$saved_LIBS"
1576 fi
1577 ]
1578)
1579
1524# Check whether user wants to use ldns 1580# Check whether user wants to use ldns
1525LDNS_MSG="no" 1581LDNS_MSG="no"
1526AC_ARG_WITH(ldns, 1582AC_ARG_WITH(ldns,
@@ -5242,6 +5298,7 @@ echo " PAM support: $PAM_MSG"
5242echo " OSF SIA support: $SIA_MSG" 5298echo " OSF SIA support: $SIA_MSG"
5243echo " KerberosV support: $KRB5_MSG" 5299echo " KerberosV support: $KRB5_MSG"
5244echo " SELinux support: $SELINUX_MSG" 5300echo " SELinux support: $SELINUX_MSG"
5301echo " TCP Wrappers support: $TCPW_MSG"
5245echo " MD5 password support: $MD5_MSG" 5302echo " MD5 password support: $MD5_MSG"
5246echo " libedit support: $LIBEDIT_MSG" 5303echo " libedit support: $LIBEDIT_MSG"
5247echo " libldns support: $LDNS_MSG" 5304echo " libldns support: $LDNS_MSG"
diff --git a/sshd.8 b/sshd.8
index fb133c14b..57a7fd66b 100644
--- a/sshd.8
+++ b/sshd.8
@@ -873,6 +873,12 @@ the user's home directory becomes accessible.
873This file should be writable only by the user, and need not be 873This file should be writable only by the user, and need not be
874readable by anyone else. 874readable by anyone else.
875.Pp 875.Pp
876.It Pa /etc/hosts.allow
877.It Pa /etc/hosts.deny
878Access controls that should be enforced by tcp-wrappers are defined here.
879Further details are described in
880.Xr hosts_access 5 .
881.Pp
876.It Pa /etc/hosts.equiv 882.It Pa /etc/hosts.equiv
877This file is for host-based authentication (see 883This file is for host-based authentication (see
878.Xr ssh 1 ) . 884.Xr ssh 1 ) .
@@ -975,6 +981,7 @@ The content of this file is not sensitive; it can be world-readable.
975.Xr ssh-keygen 1 , 981.Xr ssh-keygen 1 ,
976.Xr ssh-keyscan 1 , 982.Xr ssh-keyscan 1 ,
977.Xr chroot 2 , 983.Xr chroot 2 ,
984.Xr hosts_access 5 ,
978.Xr login.conf 5 , 985.Xr login.conf 5 ,
979.Xr moduli 5 , 986.Xr moduli 5 ,
980.Xr sshd_config 5 , 987.Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index 3a5c1ea78..4e32fd10d 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,13 @@
127#include <Security/AuthSession.h> 127#include <Security/AuthSession.h>
128#endif 128#endif
129 129
130#ifdef LIBWRAP
131#include <tcpd.h>
132#include <syslog.h>
133int allow_severity;
134int deny_severity;
135#endif /* LIBWRAP */
136
130/* Re-exec fds */ 137/* Re-exec fds */
131#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 138#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
132#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 139#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2062,6 +2069,24 @@ main(int ac, char **av)
2062#ifdef SSH_AUDIT_EVENTS 2069#ifdef SSH_AUDIT_EVENTS
2063 audit_connection_from(remote_ip, remote_port); 2070 audit_connection_from(remote_ip, remote_port);
2064#endif 2071#endif
2072#ifdef LIBWRAP
2073 allow_severity = options.log_facility|LOG_INFO;
2074 deny_severity = options.log_facility|LOG_WARNING;
2075 /* Check whether logins are denied from this host. */
2076 if (ssh_packet_connection_is_on_socket(ssh)) {
2077 struct request_info req;
2078
2079 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
2080 fromhost(&req);
2081
2082 if (!hosts_access(&req)) {
2083 debug("Connection refused by tcp wrapper");
2084 refuse(&req);
2085 /* NOTREACHED */
2086 fatal("libwrap refuse returns");
2087 }
2088 }
2089#endif /* LIBWRAP */
2065 2090
2066 rdomain = ssh_packet_rdomain_in(ssh); 2091 rdomain = ssh_packet_rdomain_in(ssh);
2067 2092