diff options
-rw-r--r-- | configure.ac | 57 | ||||
-rw-r--r-- | sshd.8 | 7 | ||||
-rw-r--r-- | sshd.c | 25 |
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index 216a9fdab..5f606ea12 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1440,6 +1440,62 @@ AC_ARG_WITH([skey], | |||
1440 | ] | 1440 | ] |
1441 | ) | 1441 | ) |
1442 | 1442 | ||
1443 | # Check whether user wants TCP wrappers support | ||
1444 | TCPW_MSG="no" | ||
1445 | AC_ARG_WITH([tcp-wrappers], | ||
1446 | [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], | ||
1447 | [ | ||
1448 | if test "x$withval" != "xno" ; then | ||
1449 | saved_LIBS="$LIBS" | ||
1450 | saved_LDFLAGS="$LDFLAGS" | ||
1451 | saved_CPPFLAGS="$CPPFLAGS" | ||
1452 | if test -n "${withval}" && \ | ||
1453 | test "x${withval}" != "xyes"; then | ||
1454 | if test -d "${withval}/lib"; then | ||
1455 | if test -n "${need_dash_r}"; then | ||
1456 | LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" | ||
1457 | else | ||
1458 | LDFLAGS="-L${withval}/lib ${LDFLAGS}" | ||
1459 | fi | ||
1460 | else | ||
1461 | if test -n "${need_dash_r}"; then | ||
1462 | LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" | ||
1463 | else | ||
1464 | LDFLAGS="-L${withval} ${LDFLAGS}" | ||
1465 | fi | ||
1466 | fi | ||
1467 | if test -d "${withval}/include"; then | ||
1468 | CPPFLAGS="-I${withval}/include ${CPPFLAGS}" | ||
1469 | else | ||
1470 | CPPFLAGS="-I${withval} ${CPPFLAGS}" | ||
1471 | fi | ||
1472 | fi | ||
1473 | LIBS="-lwrap $LIBS" | ||
1474 | AC_MSG_CHECKING([for libwrap]) | ||
1475 | AC_LINK_IFELSE([AC_LANG_PROGRAM([[ | ||
1476 | #include <sys/types.h> | ||
1477 | #include <sys/socket.h> | ||
1478 | #include <netinet/in.h> | ||
1479 | #include <tcpd.h> | ||
1480 | int deny_severity = 0, allow_severity = 0; | ||
1481 | ]], [[ | ||
1482 | hosts_access(0); | ||
1483 | ]])], [ | ||
1484 | AC_MSG_RESULT([yes]) | ||
1485 | AC_DEFINE([LIBWRAP], [1], | ||
1486 | [Define if you want | ||
1487 | TCP Wrappers support]) | ||
1488 | SSHDLIBS="$SSHDLIBS -lwrap" | ||
1489 | TCPW_MSG="yes" | ||
1490 | ], [ | ||
1491 | AC_MSG_ERROR([*** libwrap missing]) | ||
1492 | |||
1493 | ]) | ||
1494 | LIBS="$saved_LIBS" | ||
1495 | fi | ||
1496 | ] | ||
1497 | ) | ||
1498 | |||
1443 | # Check whether user wants to use ldns | 1499 | # Check whether user wants to use ldns |
1444 | LDNS_MSG="no" | 1500 | LDNS_MSG="no" |
1445 | AC_ARG_WITH(ldns, | 1501 | AC_ARG_WITH(ldns, |
@@ -4920,6 +4976,7 @@ echo " KerberosV support: $KRB5_MSG" | |||
4920 | echo " SELinux support: $SELINUX_MSG" | 4976 | echo " SELinux support: $SELINUX_MSG" |
4921 | echo " Smartcard support: $SCARD_MSG" | 4977 | echo " Smartcard support: $SCARD_MSG" |
4922 | echo " S/KEY support: $SKEY_MSG" | 4978 | echo " S/KEY support: $SKEY_MSG" |
4979 | echo " TCP Wrappers support: $TCPW_MSG" | ||
4923 | echo " MD5 password support: $MD5_MSG" | 4980 | echo " MD5 password support: $MD5_MSG" |
4924 | echo " libedit support: $LIBEDIT_MSG" | 4981 | echo " libedit support: $LIBEDIT_MSG" |
4925 | echo " Solaris process contract support: $SPC_MSG" | 4982 | echo " Solaris process contract support: $SPC_MSG" |
@@ -851,6 +851,12 @@ the user's home directory becomes accessible. | |||
851 | This file should be writable only by the user, and need not be | 851 | This file should be writable only by the user, and need not be |
852 | readable by anyone else. | 852 | readable by anyone else. |
853 | .Pp | 853 | .Pp |
854 | .It Pa /etc/hosts.allow | ||
855 | .It Pa /etc/hosts.deny | ||
856 | Access controls that should be enforced by tcp-wrappers are defined here. | ||
857 | Further details are described in | ||
858 | .Xr hosts_access 5 . | ||
859 | .Pp | ||
854 | .It Pa /etc/hosts.equiv | 860 | .It Pa /etc/hosts.equiv |
855 | This file is for host-based authentication (see | 861 | This file is for host-based authentication (see |
856 | .Xr ssh 1 ) . | 862 | .Xr ssh 1 ) . |
@@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable. | |||
954 | .Xr ssh-keygen 1 , | 960 | .Xr ssh-keygen 1 , |
955 | .Xr ssh-keyscan 1 , | 961 | .Xr ssh-keyscan 1 , |
956 | .Xr chroot 2 , | 962 | .Xr chroot 2 , |
963 | .Xr hosts_access 5 , | ||
957 | .Xr login.conf 5 , | 964 | .Xr login.conf 5 , |
958 | .Xr moduli 5 , | 965 | .Xr moduli 5 , |
959 | .Xr sshd_config 5 , | 966 | .Xr sshd_config 5 , |
@@ -129,6 +129,13 @@ | |||
129 | #include <Security/AuthSession.h> | 129 | #include <Security/AuthSession.h> |
130 | #endif | 130 | #endif |
131 | 131 | ||
132 | #ifdef LIBWRAP | ||
133 | #include <tcpd.h> | ||
134 | #include <syslog.h> | ||
135 | int allow_severity; | ||
136 | int deny_severity; | ||
137 | #endif /* LIBWRAP */ | ||
138 | |||
132 | #ifndef O_NOCTTY | 139 | #ifndef O_NOCTTY |
133 | #define O_NOCTTY 0 | 140 | #define O_NOCTTY 0 |
134 | #endif | 141 | #endif |
@@ -2133,6 +2140,24 @@ main(int ac, char **av) | |||
2133 | #ifdef SSH_AUDIT_EVENTS | 2140 | #ifdef SSH_AUDIT_EVENTS |
2134 | audit_connection_from(remote_ip, remote_port); | 2141 | audit_connection_from(remote_ip, remote_port); |
2135 | #endif | 2142 | #endif |
2143 | #ifdef LIBWRAP | ||
2144 | allow_severity = options.log_facility|LOG_INFO; | ||
2145 | deny_severity = options.log_facility|LOG_WARNING; | ||
2146 | /* Check whether logins are denied from this host. */ | ||
2147 | if (packet_connection_is_on_socket()) { | ||
2148 | struct request_info req; | ||
2149 | |||
2150 | request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); | ||
2151 | fromhost(&req); | ||
2152 | |||
2153 | if (!hosts_access(&req)) { | ||
2154 | debug("Connection refused by tcp wrapper"); | ||
2155 | refuse(&req); | ||
2156 | /* NOTREACHED */ | ||
2157 | fatal("libwrap refuse returns"); | ||
2158 | } | ||
2159 | } | ||
2160 | #endif /* LIBWRAP */ | ||
2136 | 2161 | ||
2137 | /* Log the connection. */ | 2162 | /* Log the connection. */ |
2138 | verbose("Connection from %s port %d on %s port %d", | 2163 | verbose("Connection from %s port %d on %s port %d", |