1 files changed, 172 insertions, 0 deletions
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
new file mode 100644
index 000000000..222a996f1
--- /dev/null
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -0,0 +1,172 @@
+From 57c1dd662f9259f58a47801e2d4b0f84e973441d Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Tue, 7 Oct 2014 13:22:41 +0100
+Subject: Restore TCP wrappers support
+Support for TCP wrappers was dropped in OpenSSH 6.7.  See this message
+and thread:
+  https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
+It is true that this reduces preauth attack surface in sshd.  On the
+other hand, this support seems to be quite widely used, and abruptly
+dropping it (from the perspective of users who don't read
+openssh-unix-dev) could easily cause more serious problems in practice.
+It's not entirely clear what the right long-term answer for Debian is,
+but it at least probably doesn't involve dropping this feature shortly
+before a freeze.
+Forwarded: not-needed
+Last-Update: 2019-06-05
+Patch-Name: restore-tcp-wrappers.patch
+---
+ configure.ac | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ sshd.8       |  7 +++++++
+ sshd.c       | 25 +++++++++++++++++++++++
+ 3 files changed, 89 insertions(+)
+diff --git a/configure.ac b/configure.ac
+index 1c2512314..e894db9fc 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -1521,6 +1521,62 @@ else
+        AC_MSG_RESULT([no])
+ fi
+ 
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+       [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+       [
+               if test "x$withval" != "xno" ; then
+                       saved_LIBS="$LIBS"
+                       saved_LDFLAGS="$LDFLAGS"
+                       saved_CPPFLAGS="$CPPFLAGS"
+                       if test -n "${withval}" && \
+                           test "x${withval}" != "xyes"; then
+                               if test -d "${withval}/lib"; then
+                                       if test -n "${need_dash_r}"; then
+                                               LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                                       else
+                                               LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                                       fi
+                               else
+                                       if test -n "${need_dash_r}"; then
+                                               LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+                                       else
+                                               LDFLAGS="-L${withval} ${LDFLAGS}"
+                                       fi
+                               fi
+                               if test -d "${withval}/include"; then
+                                       CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+                               else
+                                       CPPFLAGS="-I${withval} ${CPPFLAGS}"
+                               fi
+                       fi
+                       LIBS="-lwrap $LIBS"
+                       AC_MSG_CHECKING([for libwrap])
+                       AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+                               ]], [[
+       hosts_access(0);
+                               ]])], [
+                                       AC_MSG_RESULT([yes])
+                                       AC_DEFINE([LIBWRAP], [1],
+                                               [Define if you want
+                                               TCP Wrappers support])
+                                       SSHDLIBS="$SSHDLIBS -lwrap"
+                                       TCPW_MSG="yes"
+                               ], [
+                                       AC_MSG_ERROR([*** libwrap missing])
+                               
+                       ])
+                       LIBS="$saved_LIBS"
+               fi
+       ]
+)
+
+ # Check whether user wants to use ldns
+ LDNS_MSG="no"
+ AC_ARG_WITH(ldns,
+@@ -5242,6 +5298,7 @@ echo "                       PAM support: $PAM_MSG"
+ echo "                   OSF SIA support: $SIA_MSG"
+ echo "                 KerberosV support: $KRB5_MSG"
+ echo "                   SELinux support: $SELINUX_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
+ echo "              MD5 password support: $MD5_MSG"
+ echo "                   libedit support: $LIBEDIT_MSG"
+ echo "                   libldns support: $LDNS_MSG"
+diff --git a/sshd.8 b/sshd.8
+index fb133c14b..57a7fd66b 100644
+--- a/sshd.8
+++ b/sshd.8
+@@ -873,6 +873,12 @@ the user's home directory becomes accessible.
+ This file should be writable only by the user, and need not be
+ readable by anyone else.
+ .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
+ .It Pa /etc/hosts.equiv
+ This file is for host-based authentication (see
+ .Xr ssh 1 ) .
+@@ -975,6 +981,7 @@ The content of this file is not sensitive; it can be world-readable.
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
+ .Xr chroot 2 ,
+.Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+ .Xr moduli 5 ,
+ .Xr sshd_config 5 ,
+diff --git a/sshd.c b/sshd.c
+index 3a5c1ea78..4e32fd10d 100644
+--- a/sshd.c
+++ b/sshd.c
+@@ -127,6 +127,13 @@
+ #include <Security/AuthSession.h>
+ #endif
+ 
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
+
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD   (STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD         (STDERR_FILENO + 2)
+@@ -2062,6 +2069,24 @@ main(int ac, char **av)
+ #ifdef SSH_AUDIT_EVENTS
+        audit_connection_from(remote_ip, remote_port);
+ #endif
+#ifdef LIBWRAP
+       allow_severity = options.log_facility|LOG_INFO;
+       deny_severity = options.log_facility|LOG_WARNING;
+       /* Check whether logins are denied from this host. */
+       if (ssh_packet_connection_is_on_socket(ssh)) {
+               struct request_info req;
+
+               request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+               fromhost(&req);
+
+               if (!hosts_access(&req)) {
+                       debug("Connection refused by tcp wrapper");
+                       refuse(&req);
+                       /* NOTREACHED */
+                       fatal("libwrap refuse returns");
+               }
+       }
+#endif /* LIBWRAP */
+ 
+        rdomain = ssh_packet_rdomain_in(ssh);
+

diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch new file mode 100644 index 000000000..222a996f1 --- /dev/null +++ b/debian/patches/restore-tcp-wrappers.patch
@@ -0,0 +1,172 @@
	1	From 57c1dd662f9259f58a47801e2d4b0f84e973441d Mon Sep 17 00:00:00 2001
	2	From: Colin Watson <cjwatson@debian.org>
	3	Date: Tue, 7 Oct 2014 13:22:41 +0100
	4	Subject: Restore TCP wrappers support
	5
	6	Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
	7	and thread:
	8
	9	https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
	10
	11	It is true that this reduces preauth attack surface in sshd. On the
	12	other hand, this support seems to be quite widely used, and abruptly
	13	dropping it (from the perspective of users who don't read
	14	openssh-unix-dev) could easily cause more serious problems in practice.
	15
	16	It's not entirely clear what the right long-term answer for Debian is,
	17	but it at least probably doesn't involve dropping this feature shortly
	18	before a freeze.
	19
	20	Forwarded: not-needed
	21	Last-Update: 2019-06-05
	22
	23	Patch-Name: restore-tcp-wrappers.patch
	24	---
	25	configure.ac \| 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++
	26	sshd.8 \| 7 +++++++
	27	sshd.c \| 25 +++++++++++++++++++++++
	28	3 files changed, 89 insertions(+)
	29
	30	diff --git a/configure.ac b/configure.ac
	31	index 1c2512314..e894db9fc 100644
	32	--- a/configure.ac
	33	+++ b/configure.ac
	34	@@ -1521,6 +1521,62 @@ else
	35	AC_MSG_RESULT([no])
	36	fi
	37
	38	+# Check whether user wants TCP wrappers support
	39	+TCPW_MSG="no"
	40	+AC_ARG_WITH([tcp-wrappers],
	41	+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
	42	+ [
	43	+ if test "x$withval" != "xno" ; then
	44	+ saved_LIBS="$LIBS"
	45	+ saved_LDFLAGS="$LDFLAGS"
	46	+ saved_CPPFLAGS="$CPPFLAGS"
	47	+ if test -n "${withval}" && \
	48	+ test "x${withval}" != "xyes"; then
	49	+ if test -d "${withval}/lib"; then
	50	+ if test -n "${need_dash_r}"; then
	51	+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
	52	+ else
	53	+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
	54	+ fi
	55	+ else
	56	+ if test -n "${need_dash_r}"; then
	57	+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
	58	+ else
	59	+ LDFLAGS="-L${withval} ${LDFLAGS}"
	60	+ fi
	61	+ fi
	62	+ if test -d "${withval}/include"; then
	63	+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
	64	+ else
	65	+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
	66	+ fi
	67	+ fi
	68	+ LIBS="-lwrap $LIBS"
	69	+ AC_MSG_CHECKING([for libwrap])
	70	+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
	71	+#include <sys/types.h>
	72	+#include <sys/socket.h>
	73	+#include <netinet/in.h>
	74	+#include <tcpd.h>
	75	+int deny_severity = 0, allow_severity = 0;
	76	+ ]], [[
	77	+ hosts_access(0);
	78	+ ]])], [
	79	+ AC_MSG_RESULT([yes])
	80	+ AC_DEFINE([LIBWRAP], [1],
	81	+ [Define if you want
	82	+ TCP Wrappers support])
	83	+ SSHDLIBS="$SSHDLIBS -lwrap"
	84	+ TCPW_MSG="yes"
	85	+ ], [
	86	+ AC_MSG_ERROR([*** libwrap missing])
	87	+
	88	+ ])
	89	+ LIBS="$saved_LIBS"
	90	+ fi
	91	+ ]
	92	+)
	93	+
	94	# Check whether user wants to use ldns
	95	LDNS_MSG="no"
	96	AC_ARG_WITH(ldns,
	97	@@ -5242,6 +5298,7 @@ echo " PAM support: $PAM_MSG"
	98	echo " OSF SIA support: $SIA_MSG"
	99	echo " KerberosV support: $KRB5_MSG"
	100	echo " SELinux support: $SELINUX_MSG"
	101	+echo " TCP Wrappers support: $TCPW_MSG"
	102	echo " MD5 password support: $MD5_MSG"
	103	echo " libedit support: $LIBEDIT_MSG"
	104	echo " libldns support: $LDNS_MSG"
	105	diff --git a/sshd.8 b/sshd.8
	106	index fb133c14b..57a7fd66b 100644
	107	--- a/sshd.8
	108	+++ b/sshd.8
	109	@@ -873,6 +873,12 @@ the user's home directory becomes accessible.
	110	This file should be writable only by the user, and need not be
	111	readable by anyone else.
	112	.Pp
	113	+.It Pa /etc/hosts.allow
	114	+.It Pa /etc/hosts.deny
	115	+Access controls that should be enforced by tcp-wrappers are defined here.
	116	+Further details are described in
	117	+.Xr hosts_access 5 .
	118	+.Pp
	119	.It Pa /etc/hosts.equiv
	120	This file is for host-based authentication (see
	121	.Xr ssh 1 ) .
	122	@@ -975,6 +981,7 @@ The content of this file is not sensitive; it can be world-readable.
	123	.Xr ssh-keygen 1 ,
	124	.Xr ssh-keyscan 1 ,
	125	.Xr chroot 2 ,
	126	+.Xr hosts_access 5 ,
	127	.Xr login.conf 5 ,
	128	.Xr moduli 5 ,
	129	.Xr sshd_config 5 ,
	130	diff --git a/sshd.c b/sshd.c
	131	index 3a5c1ea78..4e32fd10d 100644
	132	--- a/sshd.c
	133	+++ b/sshd.c
	134	@@ -127,6 +127,13 @@
	135	#include <Security/AuthSession.h>
	136	#endif
	137
	138	+#ifdef LIBWRAP
	139	+#include <tcpd.h>
	140	+#include <syslog.h>
	141	+int allow_severity;
	142	+int deny_severity;
	143	+#endif /* LIBWRAP */
	144	+
	145	/* Re-exec fds */
	146	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
	147	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
	148	@@ -2062,6 +2069,24 @@ main(int ac, char **av)
	149	#ifdef SSH_AUDIT_EVENTS
	150	audit_connection_from(remote_ip, remote_port);
	151	#endif
	152	+#ifdef LIBWRAP
	153	+ allow_severity = options.log_facility\|LOG_INFO;
	154	+ deny_severity = options.log_facility\|LOG_WARNING;
	155	+ /* Check whether logins are denied from this host. */
	156	+ if (ssh_packet_connection_is_on_socket(ssh)) {
	157	+ struct request_info req;
	158	+
	159	+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
	160	+ fromhost(&req);
	161	+
	162	+ if (!hosts_access(&req)) {
	163	+ debug("Connection refused by tcp wrapper");
	164	+ refuse(&req);
	165	+ /* NOTREACHED */
	166	+ fatal("libwrap refuse returns");
	167	+ }
	168	+ }
	169	+#endif /* LIBWRAP */
	170
	171	rdomain = ssh_packet_rdomain_in(ssh);
	172