summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--configure.ac57
-rw-r--r--sshd.87
-rw-r--r--sshd.c25
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 894ec3b7b..f822fb31c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1510,6 +1510,62 @@ AC_ARG_WITH([skey],
1510 ] 1510 ]
1511) 1511)
1512 1512
1513# Check whether user wants TCP wrappers support
1514TCPW_MSG="no"
1515AC_ARG_WITH([tcp-wrappers],
1516 [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
1517 [
1518 if test "x$withval" != "xno" ; then
1519 saved_LIBS="$LIBS"
1520 saved_LDFLAGS="$LDFLAGS"
1521 saved_CPPFLAGS="$CPPFLAGS"
1522 if test -n "${withval}" && \
1523 test "x${withval}" != "xyes"; then
1524 if test -d "${withval}/lib"; then
1525 if test -n "${need_dash_r}"; then
1526 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1527 else
1528 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1529 fi
1530 else
1531 if test -n "${need_dash_r}"; then
1532 LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1533 else
1534 LDFLAGS="-L${withval} ${LDFLAGS}"
1535 fi
1536 fi
1537 if test -d "${withval}/include"; then
1538 CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1539 else
1540 CPPFLAGS="-I${withval} ${CPPFLAGS}"
1541 fi
1542 fi
1543 LIBS="-lwrap $LIBS"
1544 AC_MSG_CHECKING([for libwrap])
1545 AC_LINK_IFELSE([AC_LANG_PROGRAM([[
1546#include <sys/types.h>
1547#include <sys/socket.h>
1548#include <netinet/in.h>
1549#include <tcpd.h>
1550int deny_severity = 0, allow_severity = 0;
1551 ]], [[
1552 hosts_access(0);
1553 ]])], [
1554 AC_MSG_RESULT([yes])
1555 AC_DEFINE([LIBWRAP], [1],
1556 [Define if you want
1557 TCP Wrappers support])
1558 SSHDLIBS="$SSHDLIBS -lwrap"
1559 TCPW_MSG="yes"
1560 ], [
1561 AC_MSG_ERROR([*** libwrap missing])
1562
1563 ])
1564 LIBS="$saved_LIBS"
1565 fi
1566 ]
1567)
1568
1513# Check whether user wants to use ldns 1569# Check whether user wants to use ldns
1514LDNS_MSG="no" 1570LDNS_MSG="no"
1515AC_ARG_WITH(ldns, 1571AC_ARG_WITH(ldns,
@@ -5059,6 +5115,7 @@ echo " KerberosV support: $KRB5_MSG"
5059echo " SELinux support: $SELINUX_MSG" 5115echo " SELinux support: $SELINUX_MSG"
5060echo " Smartcard support: $SCARD_MSG" 5116echo " Smartcard support: $SCARD_MSG"
5061echo " S/KEY support: $SKEY_MSG" 5117echo " S/KEY support: $SKEY_MSG"
5118echo " TCP Wrappers support: $TCPW_MSG"
5062echo " MD5 password support: $MD5_MSG" 5119echo " MD5 password support: $MD5_MSG"
5063echo " libedit support: $LIBEDIT_MSG" 5120echo " libedit support: $LIBEDIT_MSG"
5064echo " Solaris process contract support: $SPC_MSG" 5121echo " Solaris process contract support: $SPC_MSG"
diff --git a/sshd.8 b/sshd.8
index 6c521f23e..589841fcc 100644
--- a/sshd.8
+++ b/sshd.8
@@ -880,6 +880,12 @@ the user's home directory becomes accessible.
880This file should be writable only by the user, and need not be 880This file should be writable only by the user, and need not be
881readable by anyone else. 881readable by anyone else.
882.Pp 882.Pp
883.It Pa /etc/hosts.allow
884.It Pa /etc/hosts.deny
885Access controls that should be enforced by tcp-wrappers are defined here.
886Further details are described in
887.Xr hosts_access 5 .
888.Pp
883.It Pa /etc/hosts.equiv 889.It Pa /etc/hosts.equiv
884This file is for host-based authentication (see 890This file is for host-based authentication (see
885.Xr ssh 1 ) . 891.Xr ssh 1 ) .
@@ -986,6 +992,7 @@ The content of this file is not sensitive; it can be world-readable.
986.Xr ssh-keygen 1 , 992.Xr ssh-keygen 1 ,
987.Xr ssh-keyscan 1 , 993.Xr ssh-keyscan 1 ,
988.Xr chroot 2 , 994.Xr chroot 2 ,
995.Xr hosts_access 5 ,
989.Xr login.conf 5 , 996.Xr login.conf 5 ,
990.Xr moduli 5 , 997.Xr moduli 5 ,
991.Xr sshd_config 5 , 998.Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index ebb88c776..982e5455e 100644
--- a/sshd.c
+++ b/sshd.c
@@ -129,6 +129,13 @@
129#include <Security/AuthSession.h> 129#include <Security/AuthSession.h>
130#endif 130#endif
131 131
132#ifdef LIBWRAP
133#include <tcpd.h>
134#include <syslog.h>
135int allow_severity;
136int deny_severity;
137#endif /* LIBWRAP */
138
132#ifndef O_NOCTTY 139#ifndef O_NOCTTY
133#define O_NOCTTY 0 140#define O_NOCTTY 0
134#endif 141#endif
@@ -2207,6 +2214,24 @@ main(int ac, char **av)
2207#ifdef SSH_AUDIT_EVENTS 2214#ifdef SSH_AUDIT_EVENTS
2208 audit_connection_from(remote_ip, remote_port); 2215 audit_connection_from(remote_ip, remote_port);
2209#endif 2216#endif
2217#ifdef LIBWRAP
2218 allow_severity = options.log_facility|LOG_INFO;
2219 deny_severity = options.log_facility|LOG_WARNING;
2220 /* Check whether logins are denied from this host. */
2221 if (packet_connection_is_on_socket()) {
2222 struct request_info req;
2223
2224 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
2225 fromhost(&req);
2226
2227 if (!hosts_access(&req)) {
2228 debug("Connection refused by tcp wrapper");
2229 refuse(&req);
2230 /* NOTREACHED */
2231 fatal("libwrap refuse returns");
2232 }
2233 }
2234#endif /* LIBWRAP */
2210 2235
2211 /* Log the connection. */ 2236 /* Log the connection. */
2212 laddr = get_local_ipaddr(sock_in); 2237 laddr = get_local_ipaddr(sock_in);