diff options
-rw-r--r-- | configure.ac | 57 | ||||
-rw-r--r-- | sshd.8 | 7 | ||||
-rw-r--r-- | sshd.c | 25 |
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index 023e7cc55..917300b43 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1517,6 +1517,62 @@ else | |||
1517 | AC_MSG_RESULT([no]) | 1517 | AC_MSG_RESULT([no]) |
1518 | fi | 1518 | fi |
1519 | 1519 | ||
1520 | # Check whether user wants TCP wrappers support | ||
1521 | TCPW_MSG="no" | ||
1522 | AC_ARG_WITH([tcp-wrappers], | ||
1523 | [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], | ||
1524 | [ | ||
1525 | if test "x$withval" != "xno" ; then | ||
1526 | saved_LIBS="$LIBS" | ||
1527 | saved_LDFLAGS="$LDFLAGS" | ||
1528 | saved_CPPFLAGS="$CPPFLAGS" | ||
1529 | if test -n "${withval}" && \ | ||
1530 | test "x${withval}" != "xyes"; then | ||
1531 | if test -d "${withval}/lib"; then | ||
1532 | if test -n "${need_dash_r}"; then | ||
1533 | LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" | ||
1534 | else | ||
1535 | LDFLAGS="-L${withval}/lib ${LDFLAGS}" | ||
1536 | fi | ||
1537 | else | ||
1538 | if test -n "${need_dash_r}"; then | ||
1539 | LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" | ||
1540 | else | ||
1541 | LDFLAGS="-L${withval} ${LDFLAGS}" | ||
1542 | fi | ||
1543 | fi | ||
1544 | if test -d "${withval}/include"; then | ||
1545 | CPPFLAGS="-I${withval}/include ${CPPFLAGS}" | ||
1546 | else | ||
1547 | CPPFLAGS="-I${withval} ${CPPFLAGS}" | ||
1548 | fi | ||
1549 | fi | ||
1550 | LIBS="-lwrap $LIBS" | ||
1551 | AC_MSG_CHECKING([for libwrap]) | ||
1552 | AC_LINK_IFELSE([AC_LANG_PROGRAM([[ | ||
1553 | #include <sys/types.h> | ||
1554 | #include <sys/socket.h> | ||
1555 | #include <netinet/in.h> | ||
1556 | #include <tcpd.h> | ||
1557 | int deny_severity = 0, allow_severity = 0; | ||
1558 | ]], [[ | ||
1559 | hosts_access(0); | ||
1560 | ]])], [ | ||
1561 | AC_MSG_RESULT([yes]) | ||
1562 | AC_DEFINE([LIBWRAP], [1], | ||
1563 | [Define if you want | ||
1564 | TCP Wrappers support]) | ||
1565 | SSHDLIBS="$SSHDLIBS -lwrap" | ||
1566 | TCPW_MSG="yes" | ||
1567 | ], [ | ||
1568 | AC_MSG_ERROR([*** libwrap missing]) | ||
1569 | |||
1570 | ]) | ||
1571 | LIBS="$saved_LIBS" | ||
1572 | fi | ||
1573 | ] | ||
1574 | ) | ||
1575 | |||
1520 | # Check whether user wants to use ldns | 1576 | # Check whether user wants to use ldns |
1521 | LDNS_MSG="no" | 1577 | LDNS_MSG="no" |
1522 | AC_ARG_WITH(ldns, | 1578 | AC_ARG_WITH(ldns, |
@@ -5329,6 +5385,7 @@ echo " PAM support: $PAM_MSG" | |||
5329 | echo " OSF SIA support: $SIA_MSG" | 5385 | echo " OSF SIA support: $SIA_MSG" |
5330 | echo " KerberosV support: $KRB5_MSG" | 5386 | echo " KerberosV support: $KRB5_MSG" |
5331 | echo " SELinux support: $SELINUX_MSG" | 5387 | echo " SELinux support: $SELINUX_MSG" |
5388 | echo " TCP Wrappers support: $TCPW_MSG" | ||
5332 | echo " MD5 password support: $MD5_MSG" | 5389 | echo " MD5 password support: $MD5_MSG" |
5333 | echo " libedit support: $LIBEDIT_MSG" | 5390 | echo " libedit support: $LIBEDIT_MSG" |
5334 | echo " libldns support: $LDNS_MSG" | 5391 | echo " libldns support: $LDNS_MSG" |
@@ -873,6 +873,12 @@ the user's home directory becomes accessible. | |||
873 | This file should be writable only by the user, and need not be | 873 | This file should be writable only by the user, and need not be |
874 | readable by anyone else. | 874 | readable by anyone else. |
875 | .Pp | 875 | .Pp |
876 | .It Pa /etc/hosts.allow | ||
877 | .It Pa /etc/hosts.deny | ||
878 | Access controls that should be enforced by tcp-wrappers are defined here. | ||
879 | Further details are described in | ||
880 | .Xr hosts_access 5 . | ||
881 | .Pp | ||
876 | .It Pa /etc/hosts.equiv | 882 | .It Pa /etc/hosts.equiv |
877 | This file is for host-based authentication (see | 883 | This file is for host-based authentication (see |
878 | .Xr ssh 1 ) . | 884 | .Xr ssh 1 ) . |
@@ -975,6 +981,7 @@ The content of this file is not sensitive; it can be world-readable. | |||
975 | .Xr ssh-keygen 1 , | 981 | .Xr ssh-keygen 1 , |
976 | .Xr ssh-keyscan 1 , | 982 | .Xr ssh-keyscan 1 , |
977 | .Xr chroot 2 , | 983 | .Xr chroot 2 , |
984 | .Xr hosts_access 5 , | ||
978 | .Xr login.conf 5 , | 985 | .Xr login.conf 5 , |
979 | .Xr moduli 5 , | 986 | .Xr moduli 5 , |
980 | .Xr sshd_config 5 , | 987 | .Xr sshd_config 5 , |
@@ -127,6 +127,13 @@ | |||
127 | #include <Security/AuthSession.h> | 127 | #include <Security/AuthSession.h> |
128 | #endif | 128 | #endif |
129 | 129 | ||
130 | #ifdef LIBWRAP | ||
131 | #include <tcpd.h> | ||
132 | #include <syslog.h> | ||
133 | int allow_severity; | ||
134 | int deny_severity; | ||
135 | #endif /* LIBWRAP */ | ||
136 | |||
130 | /* Re-exec fds */ | 137 | /* Re-exec fds */ |
131 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) | 138 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) |
132 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) | 139 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) |
@@ -2099,6 +2106,24 @@ main(int ac, char **av) | |||
2099 | #ifdef SSH_AUDIT_EVENTS | 2106 | #ifdef SSH_AUDIT_EVENTS |
2100 | audit_connection_from(remote_ip, remote_port); | 2107 | audit_connection_from(remote_ip, remote_port); |
2101 | #endif | 2108 | #endif |
2109 | #ifdef LIBWRAP | ||
2110 | allow_severity = options.log_facility|LOG_INFO; | ||
2111 | deny_severity = options.log_facility|LOG_WARNING; | ||
2112 | /* Check whether logins are denied from this host. */ | ||
2113 | if (packet_connection_is_on_socket()) { | ||
2114 | struct request_info req; | ||
2115 | |||
2116 | request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); | ||
2117 | fromhost(&req); | ||
2118 | |||
2119 | if (!hosts_access(&req)) { | ||
2120 | debug("Connection refused by tcp wrapper"); | ||
2121 | refuse(&req); | ||
2122 | /* NOTREACHED */ | ||
2123 | fatal("libwrap refuse returns"); | ||
2124 | } | ||
2125 | } | ||
2126 | #endif /* LIBWRAP */ | ||
2102 | 2127 | ||
2103 | rdomain = ssh_packet_rdomain_in(ssh); | 2128 | rdomain = ssh_packet_rdomain_in(ssh); |
2104 | 2129 | ||