diff options
-rw-r--r-- | configure.ac | 57 | ||||
-rw-r--r-- | sshd.8 | 7 | ||||
-rw-r--r-- | sshd.c | 25 |
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index ead34acf5..a92425dbc 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1494,6 +1494,62 @@ AC_ARG_WITH([skey], | |||
1494 | ] | 1494 | ] |
1495 | ) | 1495 | ) |
1496 | 1496 | ||
1497 | # Check whether user wants TCP wrappers support | ||
1498 | TCPW_MSG="no" | ||
1499 | AC_ARG_WITH([tcp-wrappers], | ||
1500 | [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], | ||
1501 | [ | ||
1502 | if test "x$withval" != "xno" ; then | ||
1503 | saved_LIBS="$LIBS" | ||
1504 | saved_LDFLAGS="$LDFLAGS" | ||
1505 | saved_CPPFLAGS="$CPPFLAGS" | ||
1506 | if test -n "${withval}" && \ | ||
1507 | test "x${withval}" != "xyes"; then | ||
1508 | if test -d "${withval}/lib"; then | ||
1509 | if test -n "${need_dash_r}"; then | ||
1510 | LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" | ||
1511 | else | ||
1512 | LDFLAGS="-L${withval}/lib ${LDFLAGS}" | ||
1513 | fi | ||
1514 | else | ||
1515 | if test -n "${need_dash_r}"; then | ||
1516 | LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" | ||
1517 | else | ||
1518 | LDFLAGS="-L${withval} ${LDFLAGS}" | ||
1519 | fi | ||
1520 | fi | ||
1521 | if test -d "${withval}/include"; then | ||
1522 | CPPFLAGS="-I${withval}/include ${CPPFLAGS}" | ||
1523 | else | ||
1524 | CPPFLAGS="-I${withval} ${CPPFLAGS}" | ||
1525 | fi | ||
1526 | fi | ||
1527 | LIBS="-lwrap $LIBS" | ||
1528 | AC_MSG_CHECKING([for libwrap]) | ||
1529 | AC_LINK_IFELSE([AC_LANG_PROGRAM([[ | ||
1530 | #include <sys/types.h> | ||
1531 | #include <sys/socket.h> | ||
1532 | #include <netinet/in.h> | ||
1533 | #include <tcpd.h> | ||
1534 | int deny_severity = 0, allow_severity = 0; | ||
1535 | ]], [[ | ||
1536 | hosts_access(0); | ||
1537 | ]])], [ | ||
1538 | AC_MSG_RESULT([yes]) | ||
1539 | AC_DEFINE([LIBWRAP], [1], | ||
1540 | [Define if you want | ||
1541 | TCP Wrappers support]) | ||
1542 | SSHDLIBS="$SSHDLIBS -lwrap" | ||
1543 | TCPW_MSG="yes" | ||
1544 | ], [ | ||
1545 | AC_MSG_ERROR([*** libwrap missing]) | ||
1546 | |||
1547 | ]) | ||
1548 | LIBS="$saved_LIBS" | ||
1549 | fi | ||
1550 | ] | ||
1551 | ) | ||
1552 | |||
1497 | # Check whether user wants to use ldns | 1553 | # Check whether user wants to use ldns |
1498 | LDNS_MSG="no" | 1554 | LDNS_MSG="no" |
1499 | AC_ARG_WITH(ldns, | 1555 | AC_ARG_WITH(ldns, |
@@ -5117,6 +5173,7 @@ echo " KerberosV support: $KRB5_MSG" | |||
5117 | echo " SELinux support: $SELINUX_MSG" | 5173 | echo " SELinux support: $SELINUX_MSG" |
5118 | echo " Smartcard support: $SCARD_MSG" | 5174 | echo " Smartcard support: $SCARD_MSG" |
5119 | echo " S/KEY support: $SKEY_MSG" | 5175 | echo " S/KEY support: $SKEY_MSG" |
5176 | echo " TCP Wrappers support: $TCPW_MSG" | ||
5120 | echo " MD5 password support: $MD5_MSG" | 5177 | echo " MD5 password support: $MD5_MSG" |
5121 | echo " libedit support: $LIBEDIT_MSG" | 5178 | echo " libedit support: $LIBEDIT_MSG" |
5122 | echo " libldns support: $LDNS_MSG" | 5179 | echo " libldns support: $LDNS_MSG" |
@@ -825,6 +825,12 @@ the user's home directory becomes accessible. | |||
825 | This file should be writable only by the user, and need not be | 825 | This file should be writable only by the user, and need not be |
826 | readable by anyone else. | 826 | readable by anyone else. |
827 | .Pp | 827 | .Pp |
828 | .It Pa /etc/hosts.allow | ||
829 | .It Pa /etc/hosts.deny | ||
830 | Access controls that should be enforced by tcp-wrappers are defined here. | ||
831 | Further details are described in | ||
832 | .Xr hosts_access 5 . | ||
833 | .Pp | ||
828 | .It Pa /etc/hosts.equiv | 834 | .It Pa /etc/hosts.equiv |
829 | This file is for host-based authentication (see | 835 | This file is for host-based authentication (see |
830 | .Xr ssh 1 ) . | 836 | .Xr ssh 1 ) . |
@@ -929,6 +935,7 @@ The content of this file is not sensitive; it can be world-readable. | |||
929 | .Xr ssh-keygen 1 , | 935 | .Xr ssh-keygen 1 , |
930 | .Xr ssh-keyscan 1 , | 936 | .Xr ssh-keyscan 1 , |
931 | .Xr chroot 2 , | 937 | .Xr chroot 2 , |
938 | .Xr hosts_access 5 , | ||
932 | .Xr login.conf 5 , | 939 | .Xr login.conf 5 , |
933 | .Xr moduli 5 , | 940 | .Xr moduli 5 , |
934 | .Xr sshd_config 5 , | 941 | .Xr sshd_config 5 , |
@@ -127,6 +127,13 @@ | |||
127 | #include <Security/AuthSession.h> | 127 | #include <Security/AuthSession.h> |
128 | #endif | 128 | #endif |
129 | 129 | ||
130 | #ifdef LIBWRAP | ||
131 | #include <tcpd.h> | ||
132 | #include <syslog.h> | ||
133 | int allow_severity; | ||
134 | int deny_severity; | ||
135 | #endif /* LIBWRAP */ | ||
136 | |||
130 | /* Re-exec fds */ | 137 | /* Re-exec fds */ |
131 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) | 138 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) |
132 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) | 139 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) |
@@ -1992,6 +1999,24 @@ main(int ac, char **av) | |||
1992 | #ifdef SSH_AUDIT_EVENTS | 1999 | #ifdef SSH_AUDIT_EVENTS |
1993 | audit_connection_from(remote_ip, remote_port); | 2000 | audit_connection_from(remote_ip, remote_port); |
1994 | #endif | 2001 | #endif |
2002 | #ifdef LIBWRAP | ||
2003 | allow_severity = options.log_facility|LOG_INFO; | ||
2004 | deny_severity = options.log_facility|LOG_WARNING; | ||
2005 | /* Check whether logins are denied from this host. */ | ||
2006 | if (packet_connection_is_on_socket()) { | ||
2007 | struct request_info req; | ||
2008 | |||
2009 | request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); | ||
2010 | fromhost(&req); | ||
2011 | |||
2012 | if (!hosts_access(&req)) { | ||
2013 | debug("Connection refused by tcp wrapper"); | ||
2014 | refuse(&req); | ||
2015 | /* NOTREACHED */ | ||
2016 | fatal("libwrap refuse returns"); | ||
2017 | } | ||
2018 | } | ||
2019 | #endif /* LIBWRAP */ | ||
1995 | 2020 | ||
1996 | /* Log the connection. */ | 2021 | /* Log the connection. */ |
1997 | laddr = get_local_ipaddr(sock_in); | 2022 | laddr = get_local_ipaddr(sock_in); |