summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--configure.ac57
-rw-r--r--sshd.87
-rw-r--r--sshd.c25
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 1cd5eab6c..3e23e60d6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1566,6 +1566,62 @@ AC_ARG_WITH([skey],
1566 ] 1566 ]
1567) 1567)
1568 1568
1569# Check whether user wants TCP wrappers support
1570TCPW_MSG="no"
1571AC_ARG_WITH([tcp-wrappers],
1572 [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
1573 [
1574 if test "x$withval" != "xno" ; then
1575 saved_LIBS="$LIBS"
1576 saved_LDFLAGS="$LDFLAGS"
1577 saved_CPPFLAGS="$CPPFLAGS"
1578 if test -n "${withval}" && \
1579 test "x${withval}" != "xyes"; then
1580 if test -d "${withval}/lib"; then
1581 if test -n "${need_dash_r}"; then
1582 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1583 else
1584 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1585 fi
1586 else
1587 if test -n "${need_dash_r}"; then
1588 LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1589 else
1590 LDFLAGS="-L${withval} ${LDFLAGS}"
1591 fi
1592 fi
1593 if test -d "${withval}/include"; then
1594 CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1595 else
1596 CPPFLAGS="-I${withval} ${CPPFLAGS}"
1597 fi
1598 fi
1599 LIBS="-lwrap $LIBS"
1600 AC_MSG_CHECKING([for libwrap])
1601 AC_LINK_IFELSE([AC_LANG_PROGRAM([[
1602#include <sys/types.h>
1603#include <sys/socket.h>
1604#include <netinet/in.h>
1605#include <tcpd.h>
1606int deny_severity = 0, allow_severity = 0;
1607 ]], [[
1608 hosts_access(0);
1609 ]])], [
1610 AC_MSG_RESULT([yes])
1611 AC_DEFINE([LIBWRAP], [1],
1612 [Define if you want
1613 TCP Wrappers support])
1614 SSHDLIBS="$SSHDLIBS -lwrap"
1615 TCPW_MSG="yes"
1616 ], [
1617 AC_MSG_ERROR([*** libwrap missing])
1618
1619 ])
1620 LIBS="$saved_LIBS"
1621 fi
1622 ]
1623)
1624
1569# Check whether user wants to use ldns 1625# Check whether user wants to use ldns
1570LDNS_MSG="no" 1626LDNS_MSG="no"
1571AC_ARG_WITH(ldns, 1627AC_ARG_WITH(ldns,
@@ -5240,6 +5296,7 @@ echo " OSF SIA support: $SIA_MSG"
5240echo " KerberosV support: $KRB5_MSG" 5296echo " KerberosV support: $KRB5_MSG"
5241echo " SELinux support: $SELINUX_MSG" 5297echo " SELinux support: $SELINUX_MSG"
5242echo " S/KEY support: $SKEY_MSG" 5298echo " S/KEY support: $SKEY_MSG"
5299echo " TCP Wrappers support: $TCPW_MSG"
5243echo " MD5 password support: $MD5_MSG" 5300echo " MD5 password support: $MD5_MSG"
5244echo " libedit support: $LIBEDIT_MSG" 5301echo " libedit support: $LIBEDIT_MSG"
5245echo " libldns support: $LDNS_MSG" 5302echo " libldns support: $LDNS_MSG"
diff --git a/sshd.8 b/sshd.8
index 968ba66bb..c8299d5e5 100644
--- a/sshd.8
+++ b/sshd.8
@@ -845,6 +845,12 @@ the user's home directory becomes accessible.
845This file should be writable only by the user, and need not be 845This file should be writable only by the user, and need not be
846readable by anyone else. 846readable by anyone else.
847.Pp 847.Pp
848.It Pa /etc/hosts.allow
849.It Pa /etc/hosts.deny
850Access controls that should be enforced by tcp-wrappers are defined here.
851Further details are described in
852.Xr hosts_access 5 .
853.Pp
848.It Pa /etc/hosts.equiv 854.It Pa /etc/hosts.equiv
849This file is for host-based authentication (see 855This file is for host-based authentication (see
850.Xr ssh 1 ) . 856.Xr ssh 1 ) .
@@ -947,6 +953,7 @@ The content of this file is not sensitive; it can be world-readable.
947.Xr ssh-keygen 1 , 953.Xr ssh-keygen 1 ,
948.Xr ssh-keyscan 1 , 954.Xr ssh-keyscan 1 ,
949.Xr chroot 2 , 955.Xr chroot 2 ,
956.Xr hosts_access 5 ,
950.Xr login.conf 5 , 957.Xr login.conf 5 ,
951.Xr moduli 5 , 958.Xr moduli 5 ,
952.Xr sshd_config 5 , 959.Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index e88185efa..4ed0364f2 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,13 @@
127#include <Security/AuthSession.h> 127#include <Security/AuthSession.h>
128#endif 128#endif
129 129
130#ifdef LIBWRAP
131#include <tcpd.h>
132#include <syslog.h>
133int allow_severity;
134int deny_severity;
135#endif /* LIBWRAP */
136
130/* Re-exec fds */ 137/* Re-exec fds */
131#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 138#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
132#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 139#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2042,6 +2049,24 @@ main(int ac, char **av)
2042#ifdef SSH_AUDIT_EVENTS 2049#ifdef SSH_AUDIT_EVENTS
2043 audit_connection_from(remote_ip, remote_port); 2050 audit_connection_from(remote_ip, remote_port);
2044#endif 2051#endif
2052#ifdef LIBWRAP
2053 allow_severity = options.log_facility|LOG_INFO;
2054 deny_severity = options.log_facility|LOG_WARNING;
2055 /* Check whether logins are denied from this host. */
2056 if (packet_connection_is_on_socket()) {
2057 struct request_info req;
2058
2059 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
2060 fromhost(&req);
2061
2062 if (!hosts_access(&req)) {
2063 debug("Connection refused by tcp wrapper");
2064 refuse(&req);
2065 /* NOTREACHED */
2066 fatal("libwrap refuse returns");
2067 }
2068 }
2069#endif /* LIBWRAP */
2045 2070
2046 rdomain = ssh_packet_rdomain_in(ssh); 2071 rdomain = ssh_packet_rdomain_in(ssh);
2047 2072