From 31d42cd8624f29508f772447e617ab043a6487d9 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Tue, 7 Oct 2014 13:22:41 +0100 Subject: Restore TCP wrappers support Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2019-06-05 Patch-Name: restore-tcp-wrappers.patch --- sshd.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'sshd.c') diff --git a/sshd.c b/sshd.c index d92f03aaf..62dc55cf2 100644 --- a/sshd.c +++ b/sshd.c @@ -124,6 +124,13 @@ #include "ssherr.h" #include "sk-api.h" +#ifdef LIBWRAP +#include +#include +int allow_severity; +int deny_severity; +#endif /* LIBWRAP */ + /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) @@ -2138,6 +2145,24 @@ main(int ac, char **av) #ifdef SSH_AUDIT_EVENTS audit_connection_from(remote_ip, remote_port); #endif +#ifdef LIBWRAP + allow_severity = options.log_facility|LOG_INFO; + deny_severity = options.log_facility|LOG_WARNING; + /* Check whether logins are denied from this host. */ + if (ssh_packet_connection_is_on_socket(ssh)) { + struct request_info req; + + request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); + fromhost(&req); + + if (!hosts_access(&req)) { + debug("Connection refused by tcp wrapper"); + refuse(&req); + /* NOTREACHED */ + fatal("libwrap refuse returns"); + } + } +#endif /* LIBWRAP */ rdomain = ssh_packet_rdomain_in(ssh); -- cgit v1.2.3