diff options
-rw-r--r-- | configure.ac | 57 | ||||
-rw-r--r-- | sshd.8 | 7 | ||||
-rw-r--r-- | sshd.c | 25 |
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index 90e81e160..7f160f131 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1404,6 +1404,62 @@ AC_ARG_WITH([skey], | |||
1404 | ] | 1404 | ] |
1405 | ) | 1405 | ) |
1406 | 1406 | ||
1407 | # Check whether user wants TCP wrappers support | ||
1408 | TCPW_MSG="no" | ||
1409 | AC_ARG_WITH([tcp-wrappers], | ||
1410 | [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], | ||
1411 | [ | ||
1412 | if test "x$withval" != "xno" ; then | ||
1413 | saved_LIBS="$LIBS" | ||
1414 | saved_LDFLAGS="$LDFLAGS" | ||
1415 | saved_CPPFLAGS="$CPPFLAGS" | ||
1416 | if test -n "${withval}" && \ | ||
1417 | test "x${withval}" != "xyes"; then | ||
1418 | if test -d "${withval}/lib"; then | ||
1419 | if test -n "${need_dash_r}"; then | ||
1420 | LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" | ||
1421 | else | ||
1422 | LDFLAGS="-L${withval}/lib ${LDFLAGS}" | ||
1423 | fi | ||
1424 | else | ||
1425 | if test -n "${need_dash_r}"; then | ||
1426 | LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" | ||
1427 | else | ||
1428 | LDFLAGS="-L${withval} ${LDFLAGS}" | ||
1429 | fi | ||
1430 | fi | ||
1431 | if test -d "${withval}/include"; then | ||
1432 | CPPFLAGS="-I${withval}/include ${CPPFLAGS}" | ||
1433 | else | ||
1434 | CPPFLAGS="-I${withval} ${CPPFLAGS}" | ||
1435 | fi | ||
1436 | fi | ||
1437 | LIBS="-lwrap $LIBS" | ||
1438 | AC_MSG_CHECKING([for libwrap]) | ||
1439 | AC_LINK_IFELSE([AC_LANG_PROGRAM([[ | ||
1440 | #include <sys/types.h> | ||
1441 | #include <sys/socket.h> | ||
1442 | #include <netinet/in.h> | ||
1443 | #include <tcpd.h> | ||
1444 | int deny_severity = 0, allow_severity = 0; | ||
1445 | ]], [[ | ||
1446 | hosts_access(0); | ||
1447 | ]])], [ | ||
1448 | AC_MSG_RESULT([yes]) | ||
1449 | AC_DEFINE([LIBWRAP], [1], | ||
1450 | [Define if you want | ||
1451 | TCP Wrappers support]) | ||
1452 | SSHDLIBS="$SSHDLIBS -lwrap" | ||
1453 | TCPW_MSG="yes" | ||
1454 | ], [ | ||
1455 | AC_MSG_ERROR([*** libwrap missing]) | ||
1456 | |||
1457 | ]) | ||
1458 | LIBS="$saved_LIBS" | ||
1459 | fi | ||
1460 | ] | ||
1461 | ) | ||
1462 | |||
1407 | # Check whether user wants to use ldns | 1463 | # Check whether user wants to use ldns |
1408 | LDNS_MSG="no" | 1464 | LDNS_MSG="no" |
1409 | AC_ARG_WITH(ldns, | 1465 | AC_ARG_WITH(ldns, |
@@ -4853,6 +4909,7 @@ echo " KerberosV support: $KRB5_MSG" | |||
4853 | echo " SELinux support: $SELINUX_MSG" | 4909 | echo " SELinux support: $SELINUX_MSG" |
4854 | echo " Smartcard support: $SCARD_MSG" | 4910 | echo " Smartcard support: $SCARD_MSG" |
4855 | echo " S/KEY support: $SKEY_MSG" | 4911 | echo " S/KEY support: $SKEY_MSG" |
4912 | echo " TCP Wrappers support: $TCPW_MSG" | ||
4856 | echo " MD5 password support: $MD5_MSG" | 4913 | echo " MD5 password support: $MD5_MSG" |
4857 | echo " libedit support: $LIBEDIT_MSG" | 4914 | echo " libedit support: $LIBEDIT_MSG" |
4858 | echo " Solaris process contract support: $SPC_MSG" | 4915 | echo " Solaris process contract support: $SPC_MSG" |
@@ -851,6 +851,12 @@ the user's home directory becomes accessible. | |||
851 | This file should be writable only by the user, and need not be | 851 | This file should be writable only by the user, and need not be |
852 | readable by anyone else. | 852 | readable by anyone else. |
853 | .Pp | 853 | .Pp |
854 | .It Pa /etc/hosts.allow | ||
855 | .It Pa /etc/hosts.deny | ||
856 | Access controls that should be enforced by tcp-wrappers are defined here. | ||
857 | Further details are described in | ||
858 | .Xr hosts_access 5 . | ||
859 | .Pp | ||
854 | .It Pa /etc/hosts.equiv | 860 | .It Pa /etc/hosts.equiv |
855 | This file is for host-based authentication (see | 861 | This file is for host-based authentication (see |
856 | .Xr ssh 1 ) . | 862 | .Xr ssh 1 ) . |
@@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable. | |||
954 | .Xr ssh-keygen 1 , | 960 | .Xr ssh-keygen 1 , |
955 | .Xr ssh-keyscan 1 , | 961 | .Xr ssh-keyscan 1 , |
956 | .Xr chroot 2 , | 962 | .Xr chroot 2 , |
963 | .Xr hosts_access 5 , | ||
957 | .Xr login.conf 5 , | 964 | .Xr login.conf 5 , |
958 | .Xr moduli 5 , | 965 | .Xr moduli 5 , |
959 | .Xr sshd_config 5 , | 966 | .Xr sshd_config 5 , |
@@ -127,6 +127,13 @@ | |||
127 | #include <Security/AuthSession.h> | 127 | #include <Security/AuthSession.h> |
128 | #endif | 128 | #endif |
129 | 129 | ||
130 | #ifdef LIBWRAP | ||
131 | #include <tcpd.h> | ||
132 | #include <syslog.h> | ||
133 | int allow_severity; | ||
134 | int deny_severity; | ||
135 | #endif /* LIBWRAP */ | ||
136 | |||
130 | #ifndef O_NOCTTY | 137 | #ifndef O_NOCTTY |
131 | #define O_NOCTTY 0 | 138 | #define O_NOCTTY 0 |
132 | #endif | 139 | #endif |
@@ -2061,6 +2068,24 @@ main(int ac, char **av) | |||
2061 | #ifdef SSH_AUDIT_EVENTS | 2068 | #ifdef SSH_AUDIT_EVENTS |
2062 | audit_connection_from(remote_ip, remote_port); | 2069 | audit_connection_from(remote_ip, remote_port); |
2063 | #endif | 2070 | #endif |
2071 | #ifdef LIBWRAP | ||
2072 | allow_severity = options.log_facility|LOG_INFO; | ||
2073 | deny_severity = options.log_facility|LOG_WARNING; | ||
2074 | /* Check whether logins are denied from this host. */ | ||
2075 | if (packet_connection_is_on_socket()) { | ||
2076 | struct request_info req; | ||
2077 | |||
2078 | request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); | ||
2079 | fromhost(&req); | ||
2080 | |||
2081 | if (!hosts_access(&req)) { | ||
2082 | debug("Connection refused by tcp wrapper"); | ||
2083 | refuse(&req); | ||
2084 | /* NOTREACHED */ | ||
2085 | fatal("libwrap refuse returns"); | ||
2086 | } | ||
2087 | } | ||
2088 | #endif /* LIBWRAP */ | ||
2064 | 2089 | ||
2065 | /* Log the connection. */ | 2090 | /* Log the connection. */ |
2066 | verbose("Connection from %s port %d on %s port %d", | 2091 | verbose("Connection from %s port %d on %s port %d", |