diff options
-rw-r--r-- | configure.ac | 57 | ||||
-rw-r--r-- | sshd.8 | 7 | ||||
-rw-r--r-- | sshd.c | 25 |
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index 7a256034d..128889a28 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey], | |||
1448 | ] | 1448 | ] |
1449 | ) | 1449 | ) |
1450 | 1450 | ||
1451 | # Check whether user wants TCP wrappers support | ||
1452 | TCPW_MSG="no" | ||
1453 | AC_ARG_WITH([tcp-wrappers], | ||
1454 | [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], | ||
1455 | [ | ||
1456 | if test "x$withval" != "xno" ; then | ||
1457 | saved_LIBS="$LIBS" | ||
1458 | saved_LDFLAGS="$LDFLAGS" | ||
1459 | saved_CPPFLAGS="$CPPFLAGS" | ||
1460 | if test -n "${withval}" && \ | ||
1461 | test "x${withval}" != "xyes"; then | ||
1462 | if test -d "${withval}/lib"; then | ||
1463 | if test -n "${need_dash_r}"; then | ||
1464 | LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" | ||
1465 | else | ||
1466 | LDFLAGS="-L${withval}/lib ${LDFLAGS}" | ||
1467 | fi | ||
1468 | else | ||
1469 | if test -n "${need_dash_r}"; then | ||
1470 | LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" | ||
1471 | else | ||
1472 | LDFLAGS="-L${withval} ${LDFLAGS}" | ||
1473 | fi | ||
1474 | fi | ||
1475 | if test -d "${withval}/include"; then | ||
1476 | CPPFLAGS="-I${withval}/include ${CPPFLAGS}" | ||
1477 | else | ||
1478 | CPPFLAGS="-I${withval} ${CPPFLAGS}" | ||
1479 | fi | ||
1480 | fi | ||
1481 | LIBS="-lwrap $LIBS" | ||
1482 | AC_MSG_CHECKING([for libwrap]) | ||
1483 | AC_LINK_IFELSE([AC_LANG_PROGRAM([[ | ||
1484 | #include <sys/types.h> | ||
1485 | #include <sys/socket.h> | ||
1486 | #include <netinet/in.h> | ||
1487 | #include <tcpd.h> | ||
1488 | int deny_severity = 0, allow_severity = 0; | ||
1489 | ]], [[ | ||
1490 | hosts_access(0); | ||
1491 | ]])], [ | ||
1492 | AC_MSG_RESULT([yes]) | ||
1493 | AC_DEFINE([LIBWRAP], [1], | ||
1494 | [Define if you want | ||
1495 | TCP Wrappers support]) | ||
1496 | SSHDLIBS="$SSHDLIBS -lwrap" | ||
1497 | TCPW_MSG="yes" | ||
1498 | ], [ | ||
1499 | AC_MSG_ERROR([*** libwrap missing]) | ||
1500 | |||
1501 | ]) | ||
1502 | LIBS="$saved_LIBS" | ||
1503 | fi | ||
1504 | ] | ||
1505 | ) | ||
1506 | |||
1451 | # Check whether user wants to use ldns | 1507 | # Check whether user wants to use ldns |
1452 | LDNS_MSG="no" | 1508 | LDNS_MSG="no" |
1453 | AC_ARG_WITH(ldns, | 1509 | AC_ARG_WITH(ldns, |
@@ -4953,6 +5009,7 @@ echo " KerberosV support: $KRB5_MSG" | |||
4953 | echo " SELinux support: $SELINUX_MSG" | 5009 | echo " SELinux support: $SELINUX_MSG" |
4954 | echo " Smartcard support: $SCARD_MSG" | 5010 | echo " Smartcard support: $SCARD_MSG" |
4955 | echo " S/KEY support: $SKEY_MSG" | 5011 | echo " S/KEY support: $SKEY_MSG" |
5012 | echo " TCP Wrappers support: $TCPW_MSG" | ||
4956 | echo " MD5 password support: $MD5_MSG" | 5013 | echo " MD5 password support: $MD5_MSG" |
4957 | echo " libedit support: $LIBEDIT_MSG" | 5014 | echo " libedit support: $LIBEDIT_MSG" |
4958 | echo " Solaris process contract support: $SPC_MSG" | 5015 | echo " Solaris process contract support: $SPC_MSG" |
@@ -850,6 +850,12 @@ the user's home directory becomes accessible. | |||
850 | This file should be writable only by the user, and need not be | 850 | This file should be writable only by the user, and need not be |
851 | readable by anyone else. | 851 | readable by anyone else. |
852 | .Pp | 852 | .Pp |
853 | .It Pa /etc/hosts.allow | ||
854 | .It Pa /etc/hosts.deny | ||
855 | Access controls that should be enforced by tcp-wrappers are defined here. | ||
856 | Further details are described in | ||
857 | .Xr hosts_access 5 . | ||
858 | .Pp | ||
853 | .It Pa /etc/hosts.equiv | 859 | .It Pa /etc/hosts.equiv |
854 | This file is for host-based authentication (see | 860 | This file is for host-based authentication (see |
855 | .Xr ssh 1 ) . | 861 | .Xr ssh 1 ) . |
@@ -953,6 +959,7 @@ The content of this file is not sensitive; it can be world-readable. | |||
953 | .Xr ssh-keygen 1 , | 959 | .Xr ssh-keygen 1 , |
954 | .Xr ssh-keyscan 1 , | 960 | .Xr ssh-keyscan 1 , |
955 | .Xr chroot 2 , | 961 | .Xr chroot 2 , |
962 | .Xr hosts_access 5 , | ||
956 | .Xr login.conf 5 , | 963 | .Xr login.conf 5 , |
957 | .Xr moduli 5 , | 964 | .Xr moduli 5 , |
958 | .Xr sshd_config 5 , | 965 | .Xr sshd_config 5 , |
@@ -130,6 +130,13 @@ | |||
130 | #include <Security/AuthSession.h> | 130 | #include <Security/AuthSession.h> |
131 | #endif | 131 | #endif |
132 | 132 | ||
133 | #ifdef LIBWRAP | ||
134 | #include <tcpd.h> | ||
135 | #include <syslog.h> | ||
136 | int allow_severity; | ||
137 | int deny_severity; | ||
138 | #endif /* LIBWRAP */ | ||
139 | |||
133 | #ifndef O_NOCTTY | 140 | #ifndef O_NOCTTY |
134 | #define O_NOCTTY 0 | 141 | #define O_NOCTTY 0 |
135 | #endif | 142 | #endif |
@@ -2145,6 +2152,24 @@ main(int ac, char **av) | |||
2145 | #ifdef SSH_AUDIT_EVENTS | 2152 | #ifdef SSH_AUDIT_EVENTS |
2146 | audit_connection_from(remote_ip, remote_port); | 2153 | audit_connection_from(remote_ip, remote_port); |
2147 | #endif | 2154 | #endif |
2155 | #ifdef LIBWRAP | ||
2156 | allow_severity = options.log_facility|LOG_INFO; | ||
2157 | deny_severity = options.log_facility|LOG_WARNING; | ||
2158 | /* Check whether logins are denied from this host. */ | ||
2159 | if (packet_connection_is_on_socket()) { | ||
2160 | struct request_info req; | ||
2161 | |||
2162 | request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); | ||
2163 | fromhost(&req); | ||
2164 | |||
2165 | if (!hosts_access(&req)) { | ||
2166 | debug("Connection refused by tcp wrapper"); | ||
2167 | refuse(&req); | ||
2168 | /* NOTREACHED */ | ||
2169 | fatal("libwrap refuse returns"); | ||
2170 | } | ||
2171 | } | ||
2172 | #endif /* LIBWRAP */ | ||
2148 | 2173 | ||
2149 | /* Log the connection. */ | 2174 | /* Log the connection. */ |
2150 | laddr = get_local_ipaddr(sock_in); | 2175 | laddr = get_local_ipaddr(sock_in); |