1 From 38fc11d61103a3fa75e72b111abaab812dac8061 Mon Sep 17 00:00:00 2001
2 From: Alex Wilson <alex.wilson@joyent.com>
3 Date: Wed, 16 Sep 2015 10:54:13 -0700
4 Subject: [PATCH 34/36] Restore tcpwrappers/libwrap support
5
6 This reverts commit f9696566fb41320820f3b257ab564fa321bb3751
7 and commit f2719b7c2b8a3b14d778d8a6d8dc729b5174b054.
8 ---
9 configure.ac | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
10 sshd.1m | 7 +++++++
11 sshd.c | 25 +++++++++++++++++++++++++
12 3 files changed, 89 insertions(+)
13
14 diff --git a/configure.ac b/configure.ac
15 index e251f9b..0097431 100644
16 --- a/configure.ac
17 +++ b/configure.ac
18 @@ -1456,6 +1456,62 @@ AC_ARG_WITH([skey],
19 ]
20 )
21
22 +# Check whether user wants TCP wrappers support
23 +TCPW_MSG="no"
24 +AC_ARG_WITH([tcp-wrappers],
25 + [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
26 + [
27 + if test "x$withval" != "xno" ; then
28 + saved_LIBS="$LIBS"
29 + saved_LDFLAGS="$LDFLAGS"
30 + saved_CPPFLAGS="$CPPFLAGS"
31 + if test -n "${withval}" && \
32 + test "x${withval}" != "xyes"; then
33 + if test -d "${withval}/lib"; then
34 + if test -n "${need_dash_r}"; then
35 + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
36 + else
37 + LDFLAGS="-L${withval}/lib ${LDFLAGS}"
38 + fi
39 + else
40 + if test -n "${need_dash_r}"; then
41 + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
42 + else
43 + LDFLAGS="-L${withval} ${LDFLAGS}"
44 + fi
45 + fi
46 + if test -d "${withval}/include"; then
47 + CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
48 + else
49 + CPPFLAGS="-I${withval} ${CPPFLAGS}"
50 + fi
51 + fi
52 + LIBS="-lwrap $LIBS"
53 + AC_MSG_CHECKING([for libwrap])
54 + AC_LINK_IFELSE([AC_LANG_PROGRAM([[
55 +#include <sys/types.h>
56 +#include <sys/socket.h>
57 +#include <netinet/in.h>
58 +#include <tcpd.h>
59 +int deny_severity = 0, allow_severity = 0;
60 + ]], [[
61 + hosts_access(0);
62 + ]])], [
63 + AC_MSG_RESULT([yes])
64 + AC_DEFINE([LIBWRAP], [1],
65 + [Define if you want
66 + TCP Wrappers support])
67 + SSHDLIBS="$SSHDLIBS -lwrap"
68 + TCPW_MSG="yes"
69 + ], [
70 + AC_MSG_ERROR([*** libwrap missing])
71 +
72 + ])
73 + LIBS="$saved_LIBS"
74 + fi
75 + ]
76 +)
77 +
78 # Check whether user wants to use ldns
79 LDNS_MSG="no"
80 AC_ARG_WITH(ldns,
81 @@ -4993,6 +5049,7 @@ echo " KerberosV support: $KRB5_MSG"
82 echo " SELinux support: $SELINUX_MSG"
83 echo " Smartcard support: $SCARD_MSG"
84 echo " S/KEY support: $SKEY_MSG"
85 +echo " TCP Wrappers support: $TCPW_MSG"
86 echo " MD5 password support: $MD5_MSG"
87 echo " libedit support: $LIBEDIT_MSG"
88 echo " Solaris process contract support: $SPC_MSG"
89 diff --git a/sshd.1m b/sshd.1m
90 index 3753f90..345c08f 100644
91 --- a/sshd.1m
92 +++ b/sshd.1m
93 @@ -850,6 +850,12 @@ the user's home directory becomes accessible.
94 This file should be writable only by the user, and need not be
95 readable by anyone else.
96 .Pp
97 +.It Pa /etc/hosts.allow
98 +.It Pa /etc/hosts.deny
99 +Access controls that should be enforced by tcp-wrappers are defined here.
100 +Further details are described in
101 +.Xr hosts_access 5 .
102 +.Pp
103 .It Pa /etc/hosts.equiv
104 This file is for host-based authentication (see
105 .Xr ssh 1 ) .
106 @@ -980,6 +986,7 @@ Each SSHv2 userauth type has its own PAM service name:
107 .Xr ssh-keygen 1 ,
108 .Xr ssh-keyscan 1 ,
109 .Xr chroot 2 ,
110 +.Xr hosts_access 5 ,
111 .Xr login.conf 5 ,
112 .Xr moduli 4 ,
113 .Xr sshd_config 4 ,
114 diff --git a/sshd.c b/sshd.c
115 index f19b398..c32c078 100644
116 --- a/sshd.c
117 +++ b/sshd.c
118 @@ -126,6 +126,13 @@
119 #include "version.h"
120 #include "ssherr.h"
121
122 +#ifdef LIBWRAP
123 +#include <tcpd.h>
124 +#include <syslog.h>
125 +int allow_severity;
126 +int deny_severity;
127 +#endif /* LIBWRAP */
128 +
129 #ifndef O_NOCTTY
130 #define O_NOCTTY 0
131 #endif
132 @@ -2166,6 +2173,24 @@ main(int ac, char **av)
133 #ifdef SSH_AUDIT_EVENTS
134 audit_connection_from(remote_ip, remote_port);
135 #endif
136 +#ifdef LIBWRAP
137 + allow_severity = options.log_facility|LOG_INFO;
138 + deny_severity = options.log_facility|LOG_WARNING;
139 + /* Check whether logins are denied from this host. */
140 + if (packet_connection_is_on_socket()) {
141 + struct request_info req;
142 +
143 + request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
144 + fromhost(&req);
145 +
146 + if (!hosts_access(&req)) {
147 + debug("Connection refused by tcp wrapper");
148 + refuse(&req);
149 + /* NOTREACHED */
150 + fatal("libwrap refuse returns");
151 + }
152 + }
153 +#endif /* LIBWRAP */
154
155 /* Log the connection. */
156 laddr = get_local_ipaddr(sock_in);
157 --
158 2.5.4 (Apple Git-61)
159