diff options
Diffstat (limited to 'debian/patches/restore-tcp-wrappers.patch')
-rw-r--r-- | debian/patches/restore-tcp-wrappers.patch | 172 |
1 files changed, 172 insertions, 0 deletions
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch new file mode 100644 index 000000000..13090ff06 --- /dev/null +++ b/debian/patches/restore-tcp-wrappers.patch | |||
@@ -0,0 +1,172 @@ | |||
1 | From f1fe58341ea22a6f07e5e1de79aa0385c0ee0c6a Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Watson <cjwatson@debian.org> | ||
3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 | ||
4 | Subject: Restore TCP wrappers support | ||
5 | |||
6 | Support for TCP wrappers was dropped in OpenSSH 6.7. See this message | ||
7 | and thread: | ||
8 | |||
9 | https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html | ||
10 | |||
11 | It is true that this reduces preauth attack surface in sshd. On the | ||
12 | other hand, this support seems to be quite widely used, and abruptly | ||
13 | dropping it (from the perspective of users who don't read | ||
14 | openssh-unix-dev) could easily cause more serious problems in practice. | ||
15 | |||
16 | It's not entirely clear what the right long-term answer for Debian is, | ||
17 | but it at least probably doesn't involve dropping this feature shortly | ||
18 | before a freeze. | ||
19 | |||
20 | Forwarded: not-needed | ||
21 | Last-Update: 2014-10-07 | ||
22 | |||
23 | Patch-Name: restore-tcp-wrappers.patch | ||
24 | --- | ||
25 | configure.ac | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | ||
26 | sshd.8 | 7 +++++++ | ||
27 | sshd.c | 25 +++++++++++++++++++++++++ | ||
28 | 3 files changed, 89 insertions(+) | ||
29 | |||
30 | diff --git a/configure.ac b/configure.ac | ||
31 | index 7a25603..128889a 100644 | ||
32 | --- a/configure.ac | ||
33 | +++ b/configure.ac | ||
34 | @@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey], | ||
35 | ] | ||
36 | ) | ||
37 | |||
38 | +# Check whether user wants TCP wrappers support | ||
39 | +TCPW_MSG="no" | ||
40 | +AC_ARG_WITH([tcp-wrappers], | ||
41 | + [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], | ||
42 | + [ | ||
43 | + if test "x$withval" != "xno" ; then | ||
44 | + saved_LIBS="$LIBS" | ||
45 | + saved_LDFLAGS="$LDFLAGS" | ||
46 | + saved_CPPFLAGS="$CPPFLAGS" | ||
47 | + if test -n "${withval}" && \ | ||
48 | + test "x${withval}" != "xyes"; then | ||
49 | + if test -d "${withval}/lib"; then | ||
50 | + if test -n "${need_dash_r}"; then | ||
51 | + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" | ||
52 | + else | ||
53 | + LDFLAGS="-L${withval}/lib ${LDFLAGS}" | ||
54 | + fi | ||
55 | + else | ||
56 | + if test -n "${need_dash_r}"; then | ||
57 | + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" | ||
58 | + else | ||
59 | + LDFLAGS="-L${withval} ${LDFLAGS}" | ||
60 | + fi | ||
61 | + fi | ||
62 | + if test -d "${withval}/include"; then | ||
63 | + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" | ||
64 | + else | ||
65 | + CPPFLAGS="-I${withval} ${CPPFLAGS}" | ||
66 | + fi | ||
67 | + fi | ||
68 | + LIBS="-lwrap $LIBS" | ||
69 | + AC_MSG_CHECKING([for libwrap]) | ||
70 | + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ | ||
71 | +#include <sys/types.h> | ||
72 | +#include <sys/socket.h> | ||
73 | +#include <netinet/in.h> | ||
74 | +#include <tcpd.h> | ||
75 | +int deny_severity = 0, allow_severity = 0; | ||
76 | + ]], [[ | ||
77 | + hosts_access(0); | ||
78 | + ]])], [ | ||
79 | + AC_MSG_RESULT([yes]) | ||
80 | + AC_DEFINE([LIBWRAP], [1], | ||
81 | + [Define if you want | ||
82 | + TCP Wrappers support]) | ||
83 | + SSHDLIBS="$SSHDLIBS -lwrap" | ||
84 | + TCPW_MSG="yes" | ||
85 | + ], [ | ||
86 | + AC_MSG_ERROR([*** libwrap missing]) | ||
87 | + | ||
88 | + ]) | ||
89 | + LIBS="$saved_LIBS" | ||
90 | + fi | ||
91 | + ] | ||
92 | +) | ||
93 | + | ||
94 | # Check whether user wants to use ldns | ||
95 | LDNS_MSG="no" | ||
96 | AC_ARG_WITH(ldns, | ||
97 | @@ -4953,6 +5009,7 @@ echo " KerberosV support: $KRB5_MSG" | ||
98 | echo " SELinux support: $SELINUX_MSG" | ||
99 | echo " Smartcard support: $SCARD_MSG" | ||
100 | echo " S/KEY support: $SKEY_MSG" | ||
101 | +echo " TCP Wrappers support: $TCPW_MSG" | ||
102 | echo " MD5 password support: $MD5_MSG" | ||
103 | echo " libedit support: $LIBEDIT_MSG" | ||
104 | echo " Solaris process contract support: $SPC_MSG" | ||
105 | diff --git a/sshd.8 b/sshd.8 | ||
106 | index 213b5fc..2105979 100644 | ||
107 | --- a/sshd.8 | ||
108 | +++ b/sshd.8 | ||
109 | @@ -850,6 +850,12 @@ the user's home directory becomes accessible. | ||
110 | This file should be writable only by the user, and need not be | ||
111 | readable by anyone else. | ||
112 | .Pp | ||
113 | +.It Pa /etc/hosts.allow | ||
114 | +.It Pa /etc/hosts.deny | ||
115 | +Access controls that should be enforced by tcp-wrappers are defined here. | ||
116 | +Further details are described in | ||
117 | +.Xr hosts_access 5 . | ||
118 | +.Pp | ||
119 | .It Pa /etc/hosts.equiv | ||
120 | This file is for host-based authentication (see | ||
121 | .Xr ssh 1 ) . | ||
122 | @@ -953,6 +959,7 @@ The content of this file is not sensitive; it can be world-readable. | ||
123 | .Xr ssh-keygen 1 , | ||
124 | .Xr ssh-keyscan 1 , | ||
125 | .Xr chroot 2 , | ||
126 | +.Xr hosts_access 5 , | ||
127 | .Xr login.conf 5 , | ||
128 | .Xr moduli 5 , | ||
129 | .Xr sshd_config 5 , | ||
130 | diff --git a/sshd.c b/sshd.c | ||
131 | index d659a68..9275e0b 100644 | ||
132 | --- a/sshd.c | ||
133 | +++ b/sshd.c | ||
134 | @@ -130,6 +130,13 @@ | ||
135 | #include <Security/AuthSession.h> | ||
136 | #endif | ||
137 | |||
138 | +#ifdef LIBWRAP | ||
139 | +#include <tcpd.h> | ||
140 | +#include <syslog.h> | ||
141 | +int allow_severity; | ||
142 | +int deny_severity; | ||
143 | +#endif /* LIBWRAP */ | ||
144 | + | ||
145 | #ifndef O_NOCTTY | ||
146 | #define O_NOCTTY 0 | ||
147 | #endif | ||
148 | @@ -2151,6 +2158,24 @@ main(int ac, char **av) | ||
149 | #ifdef SSH_AUDIT_EVENTS | ||
150 | audit_connection_from(remote_ip, remote_port); | ||
151 | #endif | ||
152 | +#ifdef LIBWRAP | ||
153 | + allow_severity = options.log_facility|LOG_INFO; | ||
154 | + deny_severity = options.log_facility|LOG_WARNING; | ||
155 | + /* Check whether logins are denied from this host. */ | ||
156 | + if (packet_connection_is_on_socket()) { | ||
157 | + struct request_info req; | ||
158 | + | ||
159 | + request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); | ||
160 | + fromhost(&req); | ||
161 | + | ||
162 | + if (!hosts_access(&req)) { | ||
163 | + debug("Connection refused by tcp wrapper"); | ||
164 | + refuse(&req); | ||
165 | + /* NOTREACHED */ | ||
166 | + fatal("libwrap refuse returns"); | ||
167 | + } | ||
168 | + } | ||
169 | +#endif /* LIBWRAP */ | ||
170 | |||
171 | /* Log the connection. */ | ||
172 | laddr = get_local_ipaddr(sock_in); | ||