summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--configure.ac57
-rw-r--r--sshd.87
-rw-r--r--sshd.c25
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index efafb6bd8..cee7cbc51 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1556,6 +1556,62 @@ else
1556 AC_MSG_RESULT([no]) 1556 AC_MSG_RESULT([no])
1557fi 1557fi
1558 1558
1559# Check whether user wants TCP wrappers support
1560TCPW_MSG="no"
1561AC_ARG_WITH([tcp-wrappers],
1562 [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
1563 [
1564 if test "x$withval" != "xno" ; then
1565 saved_LIBS="$LIBS"
1566 saved_LDFLAGS="$LDFLAGS"
1567 saved_CPPFLAGS="$CPPFLAGS"
1568 if test -n "${withval}" && \
1569 test "x${withval}" != "xyes"; then
1570 if test -d "${withval}/lib"; then
1571 if test -n "${need_dash_r}"; then
1572 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1573 else
1574 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1575 fi
1576 else
1577 if test -n "${need_dash_r}"; then
1578 LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1579 else
1580 LDFLAGS="-L${withval} ${LDFLAGS}"
1581 fi
1582 fi
1583 if test -d "${withval}/include"; then
1584 CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1585 else
1586 CPPFLAGS="-I${withval} ${CPPFLAGS}"
1587 fi
1588 fi
1589 LIBS="-lwrap $LIBS"
1590 AC_MSG_CHECKING([for libwrap])
1591 AC_LINK_IFELSE([AC_LANG_PROGRAM([[
1592#include <sys/types.h>
1593#include <sys/socket.h>
1594#include <netinet/in.h>
1595#include <tcpd.h>
1596int deny_severity = 0, allow_severity = 0;
1597 ]], [[
1598 hosts_access(0);
1599 ]])], [
1600 AC_MSG_RESULT([yes])
1601 AC_DEFINE([LIBWRAP], [1],
1602 [Define if you want
1603 TCP Wrappers support])
1604 SSHDLIBS="$SSHDLIBS -lwrap"
1605 TCPW_MSG="yes"
1606 ], [
1607 AC_MSG_ERROR([*** libwrap missing])
1608
1609 ])
1610 LIBS="$saved_LIBS"
1611 fi
1612 ]
1613)
1614
1559# Check whether user wants to use ldns 1615# Check whether user wants to use ldns
1560LDNS_MSG="no" 1616LDNS_MSG="no"
1561AC_ARG_WITH(ldns, 1617AC_ARG_WITH(ldns,
@@ -5413,6 +5469,7 @@ echo " PAM support: $PAM_MSG"
5413echo " OSF SIA support: $SIA_MSG" 5469echo " OSF SIA support: $SIA_MSG"
5414echo " KerberosV support: $KRB5_MSG" 5470echo " KerberosV support: $KRB5_MSG"
5415echo " SELinux support: $SELINUX_MSG" 5471echo " SELinux support: $SELINUX_MSG"
5472echo " TCP Wrappers support: $TCPW_MSG"
5416echo " MD5 password support: $MD5_MSG" 5473echo " MD5 password support: $MD5_MSG"
5417echo " libedit support: $LIBEDIT_MSG" 5474echo " libedit support: $LIBEDIT_MSG"
5418echo " libldns support: $LDNS_MSG" 5475echo " libldns support: $LDNS_MSG"
diff --git a/sshd.8 b/sshd.8
index c5f8987d2..730520231 100644
--- a/sshd.8
+++ b/sshd.8
@@ -893,6 +893,12 @@ the user's home directory becomes accessible.
893This file should be writable only by the user, and need not be 893This file should be writable only by the user, and need not be
894readable by anyone else. 894readable by anyone else.
895.Pp 895.Pp
896.It Pa /etc/hosts.allow
897.It Pa /etc/hosts.deny
898Access controls that should be enforced by tcp-wrappers are defined here.
899Further details are described in
900.Xr hosts_access 5 .
901.Pp
896.It Pa /etc/hosts.equiv 902.It Pa /etc/hosts.equiv
897This file is for host-based authentication (see 903This file is for host-based authentication (see
898.Xr ssh 1 ) . 904.Xr ssh 1 ) .
@@ -995,6 +1001,7 @@ The content of this file is not sensitive; it can be world-readable.
995.Xr ssh-keygen 1 , 1001.Xr ssh-keygen 1 ,
996.Xr ssh-keyscan 1 , 1002.Xr ssh-keyscan 1 ,
997.Xr chroot 2 , 1003.Xr chroot 2 ,
1004.Xr hosts_access 5 ,
998.Xr login.conf 5 , 1005.Xr login.conf 5 ,
999.Xr moduli 5 , 1006.Xr moduli 5 ,
1000.Xr sshd_config 5 , 1007.Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index d92f03aaf..62dc55cf2 100644
--- a/sshd.c
+++ b/sshd.c
@@ -124,6 +124,13 @@
124#include "ssherr.h" 124#include "ssherr.h"
125#include "sk-api.h" 125#include "sk-api.h"
126 126
127#ifdef LIBWRAP
128#include <tcpd.h>
129#include <syslog.h>
130int allow_severity;
131int deny_severity;
132#endif /* LIBWRAP */
133
127/* Re-exec fds */ 134/* Re-exec fds */
128#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 135#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
129#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 136#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2138,6 +2145,24 @@ main(int ac, char **av)
2138#ifdef SSH_AUDIT_EVENTS 2145#ifdef SSH_AUDIT_EVENTS
2139 audit_connection_from(remote_ip, remote_port); 2146 audit_connection_from(remote_ip, remote_port);
2140#endif 2147#endif
2148#ifdef LIBWRAP
2149 allow_severity = options.log_facility|LOG_INFO;
2150 deny_severity = options.log_facility|LOG_WARNING;
2151 /* Check whether logins are denied from this host. */
2152 if (ssh_packet_connection_is_on_socket(ssh)) {
2153 struct request_info req;
2154
2155 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
2156 fromhost(&req);
2157
2158 if (!hosts_access(&req)) {
2159 debug("Connection refused by tcp wrapper");
2160 refuse(&req);
2161 /* NOTREACHED */
2162 fatal("libwrap refuse returns");
2163 }
2164 }
2165#endif /* LIBWRAP */
2141 2166
2142 rdomain = ssh_packet_rdomain_in(ssh); 2167 rdomain = ssh_packet_rdomain_in(ssh);
2143 2168