3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index ead34acf5..a92425dbc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1494,6 +1494,62 @@ AC_ARG_WITH([skey],
        ]
 )
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+        [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+        [
+                if test "x$withval" != "xno" ; then
+                        saved_LIBS="$LIBS"
+                        saved_LDFLAGS="$LDFLAGS"
+                        saved_CPPFLAGS="$CPPFLAGS"
+                        if test -n "${withval}" && \
+                            test "x${withval}" != "xyes"; then
+                                if test -d "${withval}/lib"; then
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                                        fi
+                                else
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval} ${LDFLAGS}"
+                                        fi
+                                fi
+                                if test -d "${withval}/include"; then
+                                        CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+                                else
+                                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
+                                fi
+                        fi
+                        LIBS="-lwrap $LIBS"
+                        AC_MSG_CHECKING([for libwrap])
+                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+                                ]], [[
+        hosts_access(0);
+                                ]])], [
+                                        AC_MSG_RESULT([yes])
+                                        AC_DEFINE([LIBWRAP], [1],
+                                                [Define if you want
+                                                TCP Wrappers support])
+                                        SSHDLIBS="$SSHDLIBS -lwrap"
+                                        TCPW_MSG="yes"
+                                ], [
+                                        AC_MSG_ERROR([*** libwrap missing])
+                                
+                        ])
+                        LIBS="$saved_LIBS"
+                fi
+        ]
+)
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -5117,6 +5173,7 @@ echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "                   libldns support: $LDNS_MSG"
diff --git a/sshd.8 b/sshd.8
index 7725a692c..989dd4bf7 100644
--- a/sshd.8
+++ b/sshd.8
@@ -825,6 +825,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -929,6 +935,7 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index 20a7a5f33..38cf9b493 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -1992,6 +1999,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (packet_connection_is_on_socket()) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        /* Log the connection. */
        laddr = get_local_ipaddr(sock_in);

diff --git a/configure.ac b/configure.ac index ead34acf5..a92425dbc 100644 --- a/configure.ac +++ b/configure.ac
@@ -1494,6 +1494,62 @@ AC_ARG_WITH([skey],
1494	]	1494	]
1495	)	1495	)
1496		1496
		1497	# Check whether user wants TCP wrappers support
		1498	TCPW_MSG="no"
		1499	AC_ARG_WITH([tcp-wrappers],
		1500	[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
		1501	[
		1502	if test "x$withval" != "xno" ; then
		1503	saved_LIBS="$LIBS"
		1504	saved_LDFLAGS="$LDFLAGS"
		1505	saved_CPPFLAGS="$CPPFLAGS"
		1506	if test -n "${withval}" && \
		1507	test "x${withval}" != "xyes"; then
		1508	if test -d "${withval}/lib"; then
		1509	if test -n "${need_dash_r}"; then
		1510	LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
		1511	else
		1512	LDFLAGS="-L${withval}/lib ${LDFLAGS}"
		1513	fi
		1514	else
		1515	if test -n "${need_dash_r}"; then
		1516	LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
		1517	else
		1518	LDFLAGS="-L${withval} ${LDFLAGS}"
		1519	fi
		1520	fi
		1521	if test -d "${withval}/include"; then
		1522	CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
		1523	else
		1524	CPPFLAGS="-I${withval} ${CPPFLAGS}"
		1525	fi
		1526	fi
		1527	LIBS="-lwrap $LIBS"
		1528	AC_MSG_CHECKING([for libwrap])
		1529	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		1530	#include <sys/types.h>
		1531	#include <sys/socket.h>
		1532	#include <netinet/in.h>
		1533	#include <tcpd.h>
		1534	int deny_severity = 0, allow_severity = 0;
		1535	]], [[
		1536	hosts_access(0);
		1537	]])], [
		1538	AC_MSG_RESULT([yes])
		1539	AC_DEFINE([LIBWRAP], [1],
		1540	[Define if you want
		1541	TCP Wrappers support])
		1542	SSHDLIBS="$SSHDLIBS -lwrap"
		1543	TCPW_MSG="yes"
		1544	], [
		1545	AC_MSG_ERROR([*** libwrap missing])
		1546
		1547	])
		1548	LIBS="$saved_LIBS"
		1549	fi
		1550	]
		1551	)
		1552
1497	# Check whether user wants to use ldns	1553	# Check whether user wants to use ldns
1498	LDNS_MSG="no"	1554	LDNS_MSG="no"
1499	AC_ARG_WITH(ldns,	1555	AC_ARG_WITH(ldns,
@@ -5117,6 +5173,7 @@ echo " KerberosV support: $KRB5_MSG"
5117	echo " SELinux support: $SELINUX_MSG"	5173	echo " SELinux support: $SELINUX_MSG"
5118	echo " Smartcard support: $SCARD_MSG"	5174	echo " Smartcard support: $SCARD_MSG"
5119	echo " S/KEY support: $SKEY_MSG"	5175	echo " S/KEY support: $SKEY_MSG"
		5176	echo " TCP Wrappers support: $TCPW_MSG"
5120	echo " MD5 password support: $MD5_MSG"	5177	echo " MD5 password support: $MD5_MSG"
5121	echo " libedit support: $LIBEDIT_MSG"	5178	echo " libedit support: $LIBEDIT_MSG"
5122	echo " libldns support: $LDNS_MSG"	5179	echo " libldns support: $LDNS_MSG"


diff --git a/sshd.8 b/sshd.8 index 7725a692c..989dd4bf7 100644 --- a/sshd.8 +++ b/sshd.8
@@ -825,6 +825,12 @@ the user's home directory becomes accessible.
825	This file should be writable only by the user, and need not be	825	This file should be writable only by the user, and need not be
826	readable by anyone else.	826	readable by anyone else.
827	.Pp	827	.Pp
		828	.It Pa /etc/hosts.allow
		829	.It Pa /etc/hosts.deny
		830	Access controls that should be enforced by tcp-wrappers are defined here.
		831	Further details are described in
		832	.Xr hosts_access 5 .
		833	.Pp
828	.It Pa /etc/hosts.equiv	834	.It Pa /etc/hosts.equiv
829	This file is for host-based authentication (see	835	This file is for host-based authentication (see
830	.Xr ssh 1 ) .	836	.Xr ssh 1 ) .
@@ -929,6 +935,7 @@ The content of this file is not sensitive; it can be world-readable.
929	.Xr ssh-keygen 1 ,	935	.Xr ssh-keygen 1 ,
930	.Xr ssh-keyscan 1 ,	936	.Xr ssh-keyscan 1 ,
931	.Xr chroot 2 ,	937	.Xr chroot 2 ,
		938	.Xr hosts_access 5 ,
932	.Xr login.conf 5 ,	939	.Xr login.conf 5 ,
933	.Xr moduli 5 ,	940	.Xr moduli 5 ,
934	.Xr sshd_config 5 ,	941	.Xr sshd_config 5 ,


diff --git a/sshd.c b/sshd.c index 20a7a5f33..38cf9b493 100644 --- a/sshd.c +++ b/sshd.c
@@ -127,6 +127,13 @@
127	#include <Security/AuthSession.h>	127	#include <Security/AuthSession.h>
128	#endif	128	#endif
129		129
		130	#ifdef LIBWRAP
		131	#include <tcpd.h>
		132	#include <syslog.h>
		133	int allow_severity;
		134	int deny_severity;
		135	#endif /* LIBWRAP */
		136
130	/* Re-exec fds */	137	/* Re-exec fds */
131	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)	138	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
132	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)	139	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -1992,6 +1999,24 @@ main(int ac, char **av)
1992	#ifdef SSH_AUDIT_EVENTS	1999	#ifdef SSH_AUDIT_EVENTS
1993	audit_connection_from(remote_ip, remote_port);	2000	audit_connection_from(remote_ip, remote_port);
1994	#endif	2001	#endif
		2002	#ifdef LIBWRAP
		2003	allow_severity = options.log_facility\|LOG_INFO;
		2004	deny_severity = options.log_facility\|LOG_WARNING;
		2005	/* Check whether logins are denied from this host. */
		2006	if (packet_connection_is_on_socket()) {
		2007	struct request_info req;
		2008
		2009	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2010	fromhost(&req);
		2011
		2012	if (!hosts_access(&req)) {
		2013	debug("Connection refused by tcp wrapper");
		2014	refuse(&req);
		2015	/* NOTREACHED */
		2016	fatal("libwrap refuse returns");
		2017	}
		2018	}
		2019	#endif /* LIBWRAP */
1995		2020
1996	/* Log the connection. */	2021	/* Log the connection. */
1997	laddr = get_local_ipaddr(sock_in);	2022	laddr = get_local_ipaddr(sock_in);