diff options
-rw-r--r-- | configure.ac | 57 | ||||
-rw-r--r-- | sshd.8 | 7 | ||||
-rw-r--r-- | sshd.c | 25 |
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index 82428b241..ebc10f51e 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1526,6 +1526,62 @@ else | |||
1526 | AC_MSG_RESULT([no]) | 1526 | AC_MSG_RESULT([no]) |
1527 | fi | 1527 | fi |
1528 | 1528 | ||
1529 | # Check whether user wants TCP wrappers support | ||
1530 | TCPW_MSG="no" | ||
1531 | AC_ARG_WITH([tcp-wrappers], | ||
1532 | [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], | ||
1533 | [ | ||
1534 | if test "x$withval" != "xno" ; then | ||
1535 | saved_LIBS="$LIBS" | ||
1536 | saved_LDFLAGS="$LDFLAGS" | ||
1537 | saved_CPPFLAGS="$CPPFLAGS" | ||
1538 | if test -n "${withval}" && \ | ||
1539 | test "x${withval}" != "xyes"; then | ||
1540 | if test -d "${withval}/lib"; then | ||
1541 | if test -n "${need_dash_r}"; then | ||
1542 | LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" | ||
1543 | else | ||
1544 | LDFLAGS="-L${withval}/lib ${LDFLAGS}" | ||
1545 | fi | ||
1546 | else | ||
1547 | if test -n "${need_dash_r}"; then | ||
1548 | LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" | ||
1549 | else | ||
1550 | LDFLAGS="-L${withval} ${LDFLAGS}" | ||
1551 | fi | ||
1552 | fi | ||
1553 | if test -d "${withval}/include"; then | ||
1554 | CPPFLAGS="-I${withval}/include ${CPPFLAGS}" | ||
1555 | else | ||
1556 | CPPFLAGS="-I${withval} ${CPPFLAGS}" | ||
1557 | fi | ||
1558 | fi | ||
1559 | LIBS="-lwrap $LIBS" | ||
1560 | AC_MSG_CHECKING([for libwrap]) | ||
1561 | AC_LINK_IFELSE([AC_LANG_PROGRAM([[ | ||
1562 | #include <sys/types.h> | ||
1563 | #include <sys/socket.h> | ||
1564 | #include <netinet/in.h> | ||
1565 | #include <tcpd.h> | ||
1566 | int deny_severity = 0, allow_severity = 0; | ||
1567 | ]], [[ | ||
1568 | hosts_access(0); | ||
1569 | ]])], [ | ||
1570 | AC_MSG_RESULT([yes]) | ||
1571 | AC_DEFINE([LIBWRAP], [1], | ||
1572 | [Define if you want | ||
1573 | TCP Wrappers support]) | ||
1574 | SSHDLIBS="$SSHDLIBS -lwrap" | ||
1575 | TCPW_MSG="yes" | ||
1576 | ], [ | ||
1577 | AC_MSG_ERROR([*** libwrap missing]) | ||
1578 | |||
1579 | ]) | ||
1580 | LIBS="$saved_LIBS" | ||
1581 | fi | ||
1582 | ] | ||
1583 | ) | ||
1584 | |||
1529 | # Check whether user wants to use ldns | 1585 | # Check whether user wants to use ldns |
1530 | LDNS_MSG="no" | 1586 | LDNS_MSG="no" |
1531 | AC_ARG_WITH(ldns, | 1587 | AC_ARG_WITH(ldns, |
@@ -5201,6 +5257,7 @@ echo " PAM support: $PAM_MSG" | |||
5201 | echo " OSF SIA support: $SIA_MSG" | 5257 | echo " OSF SIA support: $SIA_MSG" |
5202 | echo " KerberosV support: $KRB5_MSG" | 5258 | echo " KerberosV support: $KRB5_MSG" |
5203 | echo " SELinux support: $SELINUX_MSG" | 5259 | echo " SELinux support: $SELINUX_MSG" |
5260 | echo " TCP Wrappers support: $TCPW_MSG" | ||
5204 | echo " MD5 password support: $MD5_MSG" | 5261 | echo " MD5 password support: $MD5_MSG" |
5205 | echo " libedit support: $LIBEDIT_MSG" | 5262 | echo " libedit support: $LIBEDIT_MSG" |
5206 | echo " libldns support: $LDNS_MSG" | 5263 | echo " libldns support: $LDNS_MSG" |
@@ -873,6 +873,12 @@ the user's home directory becomes accessible. | |||
873 | This file should be writable only by the user, and need not be | 873 | This file should be writable only by the user, and need not be |
874 | readable by anyone else. | 874 | readable by anyone else. |
875 | .Pp | 875 | .Pp |
876 | .It Pa /etc/hosts.allow | ||
877 | .It Pa /etc/hosts.deny | ||
878 | Access controls that should be enforced by tcp-wrappers are defined here. | ||
879 | Further details are described in | ||
880 | .Xr hosts_access 5 . | ||
881 | .Pp | ||
876 | .It Pa /etc/hosts.equiv | 882 | .It Pa /etc/hosts.equiv |
877 | This file is for host-based authentication (see | 883 | This file is for host-based authentication (see |
878 | .Xr ssh 1 ) . | 884 | .Xr ssh 1 ) . |
@@ -975,6 +981,7 @@ The content of this file is not sensitive; it can be world-readable. | |||
975 | .Xr ssh-keygen 1 , | 981 | .Xr ssh-keygen 1 , |
976 | .Xr ssh-keyscan 1 , | 982 | .Xr ssh-keyscan 1 , |
977 | .Xr chroot 2 , | 983 | .Xr chroot 2 , |
984 | .Xr hosts_access 5 , | ||
978 | .Xr login.conf 5 , | 985 | .Xr login.conf 5 , |
979 | .Xr moduli 5 , | 986 | .Xr moduli 5 , |
980 | .Xr sshd_config 5 , | 987 | .Xr sshd_config 5 , |
@@ -127,6 +127,13 @@ | |||
127 | #include <Security/AuthSession.h> | 127 | #include <Security/AuthSession.h> |
128 | #endif | 128 | #endif |
129 | 129 | ||
130 | #ifdef LIBWRAP | ||
131 | #include <tcpd.h> | ||
132 | #include <syslog.h> | ||
133 | int allow_severity; | ||
134 | int deny_severity; | ||
135 | #endif /* LIBWRAP */ | ||
136 | |||
130 | /* Re-exec fds */ | 137 | /* Re-exec fds */ |
131 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) | 138 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) |
132 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) | 139 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) |
@@ -2100,6 +2107,24 @@ main(int ac, char **av) | |||
2100 | #ifdef SSH_AUDIT_EVENTS | 2107 | #ifdef SSH_AUDIT_EVENTS |
2101 | audit_connection_from(remote_ip, remote_port); | 2108 | audit_connection_from(remote_ip, remote_port); |
2102 | #endif | 2109 | #endif |
2110 | #ifdef LIBWRAP | ||
2111 | allow_severity = options.log_facility|LOG_INFO; | ||
2112 | deny_severity = options.log_facility|LOG_WARNING; | ||
2113 | /* Check whether logins are denied from this host. */ | ||
2114 | if (packet_connection_is_on_socket()) { | ||
2115 | struct request_info req; | ||
2116 | |||
2117 | request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); | ||
2118 | fromhost(&req); | ||
2119 | |||
2120 | if (!hosts_access(&req)) { | ||
2121 | debug("Connection refused by tcp wrapper"); | ||
2122 | refuse(&req); | ||
2123 | /* NOTREACHED */ | ||
2124 | fatal("libwrap refuse returns"); | ||
2125 | } | ||
2126 | } | ||
2127 | #endif /* LIBWRAP */ | ||
2103 | 2128 | ||
2104 | rdomain = ssh_packet_rdomain_in(ssh); | 2129 | rdomain = ssh_packet_rdomain_in(ssh); |
2105 | 2130 | ||