3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 2869f7042..ce16e7758 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1518,6 +1518,62 @@ else
        AC_MSG_RESULT([no])
 fi
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+        [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+        [
+                if test "x$withval" != "xno" ; then
+                        saved_LIBS="$LIBS"
+                        saved_LDFLAGS="$LDFLAGS"
+                        saved_CPPFLAGS="$CPPFLAGS"
+                        if test -n "${withval}" && \
+                            test "x${withval}" != "xyes"; then
+                                if test -d "${withval}/lib"; then
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                                        fi
+                                else
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval} ${LDFLAGS}"
+                                        fi
+                                fi
+                                if test -d "${withval}/include"; then
+                                        CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+                                else
+                                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
+                                fi
+                        fi
+                        LIBS="-lwrap $LIBS"
+                        AC_MSG_CHECKING([for libwrap])
+                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+                                ]], [[
+        hosts_access(0);
+                                ]])], [
+                                        AC_MSG_RESULT([yes])
+                                        AC_DEFINE([LIBWRAP], [1],
+                                                [Define if you want
+                                                TCP Wrappers support])
+                                        SSHDLIBS="$SSHDLIBS -lwrap"
+                                        TCPW_MSG="yes"
+                                ], [
+                                        AC_MSG_ERROR([*** libwrap missing])
+                                
+                        ])
+                        LIBS="$saved_LIBS"
+                fi
+        ]
+)
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -5269,6 +5325,7 @@ echo "                       PAM support: $PAM_MSG"
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "                   libldns support: $LDNS_MSG"
diff --git a/sshd.8 b/sshd.8
index fb133c14b..57a7fd66b 100644
--- a/sshd.8
+++ b/sshd.8
@@ -873,6 +873,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -975,6 +981,7 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index 98680721b..46870d3b5 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -2057,6 +2064,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (ssh_packet_connection_is_on_socket(ssh)) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        rdomain = ssh_packet_rdomain_in(ssh);

diff --git a/configure.ac b/configure.ac index 2869f7042..ce16e7758 100644 --- a/configure.ac +++ b/configure.ac
@@ -1518,6 +1518,62 @@ else
1518	AC_MSG_RESULT([no])	1518	AC_MSG_RESULT([no])
1519	fi	1519	fi
1520		1520
		1521	# Check whether user wants TCP wrappers support
		1522	TCPW_MSG="no"
		1523	AC_ARG_WITH([tcp-wrappers],
		1524	[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
		1525	[
		1526	if test "x$withval" != "xno" ; then
		1527	saved_LIBS="$LIBS"
		1528	saved_LDFLAGS="$LDFLAGS"
		1529	saved_CPPFLAGS="$CPPFLAGS"
		1530	if test -n "${withval}" && \
		1531	test "x${withval}" != "xyes"; then
		1532	if test -d "${withval}/lib"; then
		1533	if test -n "${need_dash_r}"; then
		1534	LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
		1535	else
		1536	LDFLAGS="-L${withval}/lib ${LDFLAGS}"
		1537	fi
		1538	else
		1539	if test -n "${need_dash_r}"; then
		1540	LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
		1541	else
		1542	LDFLAGS="-L${withval} ${LDFLAGS}"
		1543	fi
		1544	fi
		1545	if test -d "${withval}/include"; then
		1546	CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
		1547	else
		1548	CPPFLAGS="-I${withval} ${CPPFLAGS}"
		1549	fi
		1550	fi
		1551	LIBS="-lwrap $LIBS"
		1552	AC_MSG_CHECKING([for libwrap])
		1553	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		1554	#include <sys/types.h>
		1555	#include <sys/socket.h>
		1556	#include <netinet/in.h>
		1557	#include <tcpd.h>
		1558	int deny_severity = 0, allow_severity = 0;
		1559	]], [[
		1560	hosts_access(0);
		1561	]])], [
		1562	AC_MSG_RESULT([yes])
		1563	AC_DEFINE([LIBWRAP], [1],
		1564	[Define if you want
		1565	TCP Wrappers support])
		1566	SSHDLIBS="$SSHDLIBS -lwrap"
		1567	TCPW_MSG="yes"
		1568	], [
		1569	AC_MSG_ERROR([*** libwrap missing])
		1570
		1571	])
		1572	LIBS="$saved_LIBS"
		1573	fi
		1574	]
		1575	)
		1576
1521	# Check whether user wants to use ldns	1577	# Check whether user wants to use ldns
1522	LDNS_MSG="no"	1578	LDNS_MSG="no"
1523	AC_ARG_WITH(ldns,	1579	AC_ARG_WITH(ldns,
@@ -5269,6 +5325,7 @@ echo " PAM support: $PAM_MSG"
5269	echo " OSF SIA support: $SIA_MSG"	5325	echo " OSF SIA support: $SIA_MSG"
5270	echo " KerberosV support: $KRB5_MSG"	5326	echo " KerberosV support: $KRB5_MSG"
5271	echo " SELinux support: $SELINUX_MSG"	5327	echo " SELinux support: $SELINUX_MSG"
		5328	echo " TCP Wrappers support: $TCPW_MSG"
5272	echo " MD5 password support: $MD5_MSG"	5329	echo " MD5 password support: $MD5_MSG"
5273	echo " libedit support: $LIBEDIT_MSG"	5330	echo " libedit support: $LIBEDIT_MSG"
5274	echo " libldns support: $LDNS_MSG"	5331	echo " libldns support: $LDNS_MSG"


diff --git a/sshd.8 b/sshd.8 index fb133c14b..57a7fd66b 100644 --- a/sshd.8 +++ b/sshd.8
@@ -873,6 +873,12 @@ the user's home directory becomes accessible.
873	This file should be writable only by the user, and need not be	873	This file should be writable only by the user, and need not be
874	readable by anyone else.	874	readable by anyone else.
875	.Pp	875	.Pp
		876	.It Pa /etc/hosts.allow
		877	.It Pa /etc/hosts.deny
		878	Access controls that should be enforced by tcp-wrappers are defined here.
		879	Further details are described in
		880	.Xr hosts_access 5 .
		881	.Pp
876	.It Pa /etc/hosts.equiv	882	.It Pa /etc/hosts.equiv
877	This file is for host-based authentication (see	883	This file is for host-based authentication (see
878	.Xr ssh 1 ) .	884	.Xr ssh 1 ) .
@@ -975,6 +981,7 @@ The content of this file is not sensitive; it can be world-readable.
975	.Xr ssh-keygen 1 ,	981	.Xr ssh-keygen 1 ,
976	.Xr ssh-keyscan 1 ,	982	.Xr ssh-keyscan 1 ,
977	.Xr chroot 2 ,	983	.Xr chroot 2 ,
		984	.Xr hosts_access 5 ,
978	.Xr login.conf 5 ,	985	.Xr login.conf 5 ,
979	.Xr moduli 5 ,	986	.Xr moduli 5 ,
980	.Xr sshd_config 5 ,	987	.Xr sshd_config 5 ,


diff --git a/sshd.c b/sshd.c index 98680721b..46870d3b5 100644 --- a/sshd.c +++ b/sshd.c
@@ -127,6 +127,13 @@
127	#include <Security/AuthSession.h>	127	#include <Security/AuthSession.h>
128	#endif	128	#endif
129		129
		130	#ifdef LIBWRAP
		131	#include <tcpd.h>
		132	#include <syslog.h>
		133	int allow_severity;
		134	int deny_severity;
		135	#endif /* LIBWRAP */
		136
130	/* Re-exec fds */	137	/* Re-exec fds */
131	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)	138	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
132	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)	139	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2057,6 +2064,24 @@ main(int ac, char **av)
2057	#ifdef SSH_AUDIT_EVENTS	2064	#ifdef SSH_AUDIT_EVENTS
2058	audit_connection_from(remote_ip, remote_port);	2065	audit_connection_from(remote_ip, remote_port);
2059	#endif	2066	#endif
		2067	#ifdef LIBWRAP
		2068	allow_severity = options.log_facility\|LOG_INFO;
		2069	deny_severity = options.log_facility\|LOG_WARNING;
		2070	/* Check whether logins are denied from this host. */
		2071	if (ssh_packet_connection_is_on_socket(ssh)) {
		2072	struct request_info req;
		2073
		2074	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2075	fromhost(&req);
		2076
		2077	if (!hosts_access(&req)) {
		2078	debug("Connection refused by tcp wrapper");
		2079	refuse(&req);
		2080	/* NOTREACHED */
		2081	fatal("libwrap refuse returns");
		2082	}
		2083	}
		2084	#endif /* LIBWRAP */
2060		2085
2061	rdomain = ssh_packet_rdomain_in(ssh);	2086	rdomain = ssh_packet_rdomain_in(ssh);
2062		2087