|
 |
6cf9b8e |
diff -up openssh-7.4p1/configure.ac.tcp_wrappers openssh-7.4p1/configure.ac
|
|
|
6cf9b8e |
--- openssh-7.4p1/configure.ac.tcp_wrappers 2016-12-23 15:36:38.745411192 +0100
|
|
|
6cf9b8e |
+++ openssh-7.4p1/configure.ac 2016-12-23 15:36:38.777411197 +0100
|
|
|
6cf9b8e |
@@ -1491,6 +1491,62 @@ AC_ARG_WITH([skey],
|
|
 |
f29c878 |
]
|
|
|
f29c878 |
)
|
|
|
f29c878 |
|
|
|
f29c878 |
+# Check whether user wants TCP wrappers support
|
|
|
f29c878 |
+TCPW_MSG="no"
|
|
|
f29c878 |
+AC_ARG_WITH([tcp-wrappers],
|
|
|
f29c878 |
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
|
|
|
f29c878 |
+ [
|
|
|
f29c878 |
+ if test "x$withval" != "xno" ; then
|
|
|
f29c878 |
+ saved_LIBS="$LIBS"
|
|
|
f29c878 |
+ saved_LDFLAGS="$LDFLAGS"
|
|
|
f29c878 |
+ saved_CPPFLAGS="$CPPFLAGS"
|
|
|
f29c878 |
+ if test -n "${withval}" && \
|
|
|
f29c878 |
+ test "x${withval}" != "xyes"; then
|
|
|
f29c878 |
+ if test -d "${withval}/lib"; then
|
|
|
f29c878 |
+ if test -n "${need_dash_r}"; then
|
|
|
f29c878 |
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
|
|
|
f29c878 |
+ else
|
|
|
f29c878 |
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
|
|
|
f29c878 |
+ fi
|
|
|
f29c878 |
+ else
|
|
|
f29c878 |
+ if test -n "${need_dash_r}"; then
|
|
|
f29c878 |
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
|
|
|
f29c878 |
+ else
|
|
|
f29c878 |
+ LDFLAGS="-L${withval} ${LDFLAGS}"
|
|
|
f29c878 |
+ fi
|
|
|
f29c878 |
+ fi
|
|
|
f29c878 |
+ if test -d "${withval}/include"; then
|
|
|
f29c878 |
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
|
|
|
f29c878 |
+ else
|
|
|
f29c878 |
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
|
|
|
f29c878 |
+ fi
|
|
|
f29c878 |
+ fi
|
|
|
f29c878 |
+ LIBS="-lwrap $LIBS"
|
|
|
f29c878 |
+ AC_MSG_CHECKING([for libwrap])
|
|
|
f29c878 |
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
|
|
|
f29c878 |
+#include <sys/types.h>
|
|
|
f29c878 |
+#include <sys/socket.h>
|
|
|
f29c878 |
+#include <netinet/in.h>
|
|
|
f29c878 |
+#include <tcpd.h>
|
|
|
f29c878 |
+int deny_severity = 0, allow_severity = 0;
|
|
|
f29c878 |
+ ]], [[
|
|
|
f29c878 |
+ hosts_access(0);
|
|
|
f29c878 |
+ ]])], [
|
|
|
f29c878 |
+ AC_MSG_RESULT([yes])
|
|
|
f29c878 |
+ AC_DEFINE([LIBWRAP], [1],
|
|
|
f29c878 |
+ [Define if you want
|
|
|
f29c878 |
+ TCP Wrappers support])
|
|
|
f29c878 |
+ SSHDLIBS="$SSHDLIBS -lwrap"
|
|
|
f29c878 |
+ TCPW_MSG="yes"
|
|
|
f29c878 |
+ ], [
|
|
|
f29c878 |
+ AC_MSG_ERROR([*** libwrap missing])
|
|
|
f29c878 |
+
|
|
|
f29c878 |
+ ])
|
|
|
f29c878 |
+ LIBS="$saved_LIBS"
|
|
|
f29c878 |
+ fi
|
|
|
f29c878 |
+ ]
|
|
|
f29c878 |
+)
|
|
|
f29c878 |
+
|
|
|
f29c878 |
# Check whether user wants to use ldns
|
|
|
f29c878 |
LDNS_MSG="no"
|
|
|
f29c878 |
AC_ARG_WITH(ldns,
|
|
|
6cf9b8e |
@@ -5214,6 +5270,7 @@ echo " KerberosV support
|
|
|
f29c878 |
echo " SELinux support: $SELINUX_MSG"
|
|
|
f29c878 |
echo " Smartcard support: $SCARD_MSG"
|
|
|
f29c878 |
echo " S/KEY support: $SKEY_MSG"
|
|
|
f29c878 |
+echo " TCP Wrappers support: $TCPW_MSG"
|
|
|
f29c878 |
echo " MD5 password support: $MD5_MSG"
|
|
|
f29c878 |
echo " libedit support: $LIBEDIT_MSG"
|
|
|
f29c878 |
echo " Solaris process contract support: $SPC_MSG"
|
|
|
6cf9b8e |
diff -up openssh-7.4p1/sshd.8.tcp_wrappers openssh-7.4p1/sshd.8
|
|
|
6cf9b8e |
--- openssh-7.4p1/sshd.8.tcp_wrappers 2016-12-23 15:36:38.759411194 +0100
|
|
|
6cf9b8e |
+++ openssh-7.4p1/sshd.8 2016-12-23 15:36:38.778411197 +0100
|
|
|
6cf9b8e |
@@ -836,6 +836,12 @@ the user's home directory becomes access
|
|
|
f29c878 |
This file should be writable only by the user, and need not be
|
|
|
f29c878 |
readable by anyone else.
|
|
|
f29c878 |
.Pp
|
|
|
f29c878 |
+.It Pa /etc/hosts.allow
|
|
|
f29c878 |
+.It Pa /etc/hosts.deny
|
|
|
f29c878 |
+Access controls that should be enforced by tcp-wrappers are defined here.
|
|
|
f29c878 |
+Further details are described in
|
|
|
f29c878 |
+.Xr hosts_access 5 .
|
|
|
f29c878 |
+.Pp
|
|
|
f29c878 |
.It Pa /etc/hosts.equiv
|
|
|
f29c878 |
This file is for host-based authentication (see
|
|
|
f29c878 |
.Xr ssh 1 ) .
|
|
|
6cf9b8e |
@@ -960,6 +966,7 @@ IPv6 address can be used everywhere wher
|
|
|
f29c878 |
.Xr ssh-keygen 1 ,
|
|
|
f29c878 |
.Xr ssh-keyscan 1 ,
|
|
|
f29c878 |
.Xr chroot 2 ,
|
|
|
f29c878 |
+.Xr hosts_access 5 ,
|
|
|
f29c878 |
.Xr login.conf 5 ,
|
|
|
f29c878 |
.Xr moduli 5 ,
|
|
|
f29c878 |
.Xr sshd_config 5 ,
|
|
|
6cf9b8e |
diff -up openssh-7.4p1/sshd.c.tcp_wrappers openssh-7.4p1/sshd.c
|
|
|
6cf9b8e |
--- openssh-7.4p1/sshd.c.tcp_wrappers 2016-12-23 15:36:38.772411196 +0100
|
|
|
6cf9b8e |
+++ openssh-7.4p1/sshd.c 2016-12-23 15:37:15.032417028 +0100
|
|
|
6cf9b8e |
@@ -123,6 +123,13 @@
|
|
|
f29c878 |
#include "version.h"
|
|
|
132f8f8 |
#include "ssherr.h"
|
|
|
f29c878 |
|
|
|
f29c878 |
+#ifdef LIBWRAP
|
|
|
f29c878 |
+#include <tcpd.h>
|
|
|
f29c878 |
+#include <syslog.h>
|
|
|
f29c878 |
+int allow_severity;
|
|
|
f29c878 |
+int deny_severity;
|
|
|
f29c878 |
+#endif /* LIBWRAP */
|
|
|
f29c878 |
+
|
|
|
6cf9b8e |
/* Re-exec fds */
|
|
|
6cf9b8e |
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
|
|
6cf9b8e |
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
|
|
6cf9b8e |
@@ -2012,6 +2019,24 @@ main(int ac, char **av)
|
|
|
f29c878 |
#ifdef SSH_AUDIT_EVENTS
|
|
|
f29c878 |
audit_connection_from(remote_ip, remote_port);
|
|
|
f29c878 |
#endif
|
|
|
f29c878 |
+#ifdef LIBWRAP
|
|
|
f29c878 |
+ allow_severity = options.log_facility|LOG_INFO;
|
|
|
f29c878 |
+ deny_severity = options.log_facility|LOG_WARNING;
|
|
|
f29c878 |
+ /* Check whether logins are denied from this host. */
|
|
|
f29c878 |
+ if (packet_connection_is_on_socket()) {
|
|
|
f29c878 |
+ struct request_info req;
|
|
|
f29c878 |
+
|
|
|
f29c878 |
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
|
|
|
f29c878 |
+ fromhost(&req;;
|
|
|
f29c878 |
+
|
|
|
f29c878 |
+ if (!hosts_access(&req)) {
|
|
|
f29c878 |
+ debug("Connection refused by tcp wrapper");
|
|
|
f29c878 |
+ refuse(&req;;
|
|
|
f29c878 |
+ /* NOTREACHED */
|
|
|
f29c878 |
+ fatal("libwrap refuse returns");
|
|
|
f29c878 |
+ }
|
|
|
f29c878 |
+ }
|
|
|
f29c878 |
+#endif /* LIBWRAP */
|
|
|
f29c878 |
|
|
|
f29c878 |
/* Log the connection. */
|
|
|
535d341 |
laddr = get_local_ipaddr(sock_in);
|