summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--configure.ac57
-rw-r--r--sshd.87
-rw-r--r--sshd.c25
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 84bfad8c5..3b30736b3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1503,6 +1503,62 @@ AC_ARG_WITH([skey],
1503 ] 1503 ]
1504) 1504)
1505 1505
1506# Check whether user wants TCP wrappers support
1507TCPW_MSG="no"
1508AC_ARG_WITH([tcp-wrappers],
1509 [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
1510 [
1511 if test "x$withval" != "xno" ; then
1512 saved_LIBS="$LIBS"
1513 saved_LDFLAGS="$LDFLAGS"
1514 saved_CPPFLAGS="$CPPFLAGS"
1515 if test -n "${withval}" && \
1516 test "x${withval}" != "xyes"; then
1517 if test -d "${withval}/lib"; then
1518 if test -n "${need_dash_r}"; then
1519 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1520 else
1521 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1522 fi
1523 else
1524 if test -n "${need_dash_r}"; then
1525 LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1526 else
1527 LDFLAGS="-L${withval} ${LDFLAGS}"
1528 fi
1529 fi
1530 if test -d "${withval}/include"; then
1531 CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1532 else
1533 CPPFLAGS="-I${withval} ${CPPFLAGS}"
1534 fi
1535 fi
1536 LIBS="-lwrap $LIBS"
1537 AC_MSG_CHECKING([for libwrap])
1538 AC_LINK_IFELSE([AC_LANG_PROGRAM([[
1539#include <sys/types.h>
1540#include <sys/socket.h>
1541#include <netinet/in.h>
1542#include <tcpd.h>
1543int deny_severity = 0, allow_severity = 0;
1544 ]], [[
1545 hosts_access(0);
1546 ]])], [
1547 AC_MSG_RESULT([yes])
1548 AC_DEFINE([LIBWRAP], [1],
1549 [Define if you want
1550 TCP Wrappers support])
1551 SSHDLIBS="$SSHDLIBS -lwrap"
1552 TCPW_MSG="yes"
1553 ], [
1554 AC_MSG_ERROR([*** libwrap missing])
1555
1556 ])
1557 LIBS="$saved_LIBS"
1558 fi
1559 ]
1560)
1561
1506# Check whether user wants to use ldns 1562# Check whether user wants to use ldns
1507LDNS_MSG="no" 1563LDNS_MSG="no"
1508AC_ARG_WITH(ldns, 1564AC_ARG_WITH(ldns,
@@ -5133,6 +5189,7 @@ echo " KerberosV support: $KRB5_MSG"
5133echo " SELinux support: $SELINUX_MSG" 5189echo " SELinux support: $SELINUX_MSG"
5134echo " Smartcard support: $SCARD_MSG" 5190echo " Smartcard support: $SCARD_MSG"
5135echo " S/KEY support: $SKEY_MSG" 5191echo " S/KEY support: $SKEY_MSG"
5192echo " TCP Wrappers support: $TCPW_MSG"
5136echo " MD5 password support: $MD5_MSG" 5193echo " MD5 password support: $MD5_MSG"
5137echo " libedit support: $LIBEDIT_MSG" 5194echo " libedit support: $LIBEDIT_MSG"
5138echo " libldns support: $LDNS_MSG" 5195echo " libldns support: $LDNS_MSG"
diff --git a/sshd.8 b/sshd.8
index a4201146b..2ed523a2c 100644
--- a/sshd.8
+++ b/sshd.8
@@ -839,6 +839,12 @@ the user's home directory becomes accessible.
839This file should be writable only by the user, and need not be 839This file should be writable only by the user, and need not be
840readable by anyone else. 840readable by anyone else.
841.Pp 841.Pp
842.It Pa /etc/hosts.allow
843.It Pa /etc/hosts.deny
844Access controls that should be enforced by tcp-wrappers are defined here.
845Further details are described in
846.Xr hosts_access 5 .
847.Pp
842.It Pa /etc/hosts.equiv 848.It Pa /etc/hosts.equiv
843This file is for host-based authentication (see 849This file is for host-based authentication (see
844.Xr ssh 1 ) . 850.Xr ssh 1 ) .
@@ -943,6 +949,7 @@ The content of this file is not sensitive; it can be world-readable.
943.Xr ssh-keygen 1 , 949.Xr ssh-keygen 1 ,
944.Xr ssh-keyscan 1 , 950.Xr ssh-keyscan 1 ,
945.Xr chroot 2 , 951.Xr chroot 2 ,
952.Xr hosts_access 5 ,
946.Xr login.conf 5 , 953.Xr login.conf 5 ,
947.Xr moduli 5 , 954.Xr moduli 5 ,
948.Xr sshd_config 5 , 955.Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index 45e50fac3..a66e9ca6c 100644
--- a/sshd.c
+++ b/sshd.c
@@ -126,6 +126,13 @@
126#include <Security/AuthSession.h> 126#include <Security/AuthSession.h>
127#endif 127#endif
128 128
129#ifdef LIBWRAP
130#include <tcpd.h>
131#include <syslog.h>
132int allow_severity;
133int deny_severity;
134#endif /* LIBWRAP */
135
129/* Re-exec fds */ 136/* Re-exec fds */
130#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 137#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
131#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 138#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -1987,6 +1994,24 @@ main(int ac, char **av)
1987#ifdef SSH_AUDIT_EVENTS 1994#ifdef SSH_AUDIT_EVENTS
1988 audit_connection_from(remote_ip, remote_port); 1995 audit_connection_from(remote_ip, remote_port);
1989#endif 1996#endif
1997#ifdef LIBWRAP
1998 allow_severity = options.log_facility|LOG_INFO;
1999 deny_severity = options.log_facility|LOG_WARNING;
2000 /* Check whether logins are denied from this host. */
2001 if (packet_connection_is_on_socket()) {
2002 struct request_info req;
2003
2004 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
2005 fromhost(&req);
2006
2007 if (!hosts_access(&req)) {
2008 debug("Connection refused by tcp wrapper");
2009 refuse(&req);
2010 /* NOTREACHED */
2011 fatal("libwrap refuse returns");
2012 }
2013 }
2014#endif /* LIBWRAP */
1990 2015
1991 /* Log the connection. */ 2016 /* Log the connection. */
1992 laddr = get_local_ipaddr(sock_in); 2017 laddr = get_local_ipaddr(sock_in);