You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
140 lines
4.2 KiB
140 lines
4.2 KiB
diff -up openssh-7.4p1/configure.ac.tcp_wrappers openssh-7.4p1/configure.ac |
|
--- openssh-7.4p1/configure.ac.tcp_wrappers 2016-12-23 15:36:38.745411192 +0100 |
|
+++ openssh-7.4p1/configure.ac 2016-12-23 15:36:38.777411197 +0100 |
|
@@ -1491,6 +1491,62 @@ AC_ARG_WITH([skey], |
|
] |
|
) |
|
|
|
+# Check whether user wants TCP wrappers support |
|
+TCPW_MSG="no" |
|
+AC_ARG_WITH([tcp-wrappers], |
|
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], |
|
+ [ |
|
+ if test "x$withval" != "xno" ; then |
|
+ saved_LIBS="$LIBS" |
|
+ saved_LDFLAGS="$LDFLAGS" |
|
+ saved_CPPFLAGS="$CPPFLAGS" |
|
+ if test -n "${withval}" && \ |
|
+ test "x${withval}" != "xyes"; then |
|
+ if test -d "${withval}/lib"; then |
|
+ if test -n "${need_dash_r}"; then |
|
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" |
|
+ else |
|
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}" |
|
+ fi |
|
+ else |
|
+ if test -n "${need_dash_r}"; then |
|
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" |
|
+ else |
|
+ LDFLAGS="-L${withval} ${LDFLAGS}" |
|
+ fi |
|
+ fi |
|
+ if test -d "${withval}/include"; then |
|
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}" |
|
+ else |
|
+ CPPFLAGS="-I${withval} ${CPPFLAGS}" |
|
+ fi |
|
+ fi |
|
+ LIBS="-lwrap $LIBS" |
|
+ AC_MSG_CHECKING([for libwrap]) |
|
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[ |
|
+#include <sys/types.h> |
|
+#include <sys/socket.h> |
|
+#include <netinet/in.h> |
|
+#include <tcpd.h> |
|
+int deny_severity = 0, allow_severity = 0; |
|
+ ]], [[ |
|
+ hosts_access(0); |
|
+ ]])], [ |
|
+ AC_MSG_RESULT([yes]) |
|
+ AC_DEFINE([LIBWRAP], [1], |
|
+ [Define if you want |
|
+ TCP Wrappers support]) |
|
+ SSHDLIBS="$SSHDLIBS -lwrap" |
|
+ TCPW_MSG="yes" |
|
+ ], [ |
|
+ AC_MSG_ERROR([*** libwrap missing]) |
|
+ |
|
+ ]) |
|
+ LIBS="$saved_LIBS" |
|
+ fi |
|
+ ] |
|
+) |
|
+ |
|
# Check whether user wants to use ldns |
|
LDNS_MSG="no" |
|
AC_ARG_WITH(ldns, |
|
@@ -5214,6 +5270,7 @@ echo " KerberosV support |
|
echo " SELinux support: $SELINUX_MSG" |
|
echo " Smartcard support: $SCARD_MSG" |
|
echo " S/KEY support: $SKEY_MSG" |
|
+echo " TCP Wrappers support: $TCPW_MSG" |
|
echo " MD5 password support: $MD5_MSG" |
|
echo " libedit support: $LIBEDIT_MSG" |
|
echo " Solaris process contract support: $SPC_MSG" |
|
diff -up openssh-7.4p1/sshd.8.tcp_wrappers openssh-7.4p1/sshd.8 |
|
--- openssh-7.4p1/sshd.8.tcp_wrappers 2016-12-23 15:36:38.759411194 +0100 |
|
+++ openssh-7.4p1/sshd.8 2016-12-23 15:36:38.778411197 +0100 |
|
@@ -836,6 +836,12 @@ the user's home directory becomes access |
|
This file should be writable only by the user, and need not be |
|
readable by anyone else. |
|
.Pp |
|
+.It Pa /etc/hosts.allow |
|
+.It Pa /etc/hosts.deny |
|
+Access controls that should be enforced by tcp-wrappers are defined here. |
|
+Further details are described in |
|
+.Xr hosts_access 5 . |
|
+.Pp |
|
.It Pa /etc/hosts.equiv |
|
This file is for host-based authentication (see |
|
.Xr ssh 1 ) . |
|
@@ -960,6 +966,7 @@ IPv6 address can be used everywhere wher |
|
.Xr ssh-keygen 1 , |
|
.Xr ssh-keyscan 1 , |
|
.Xr chroot 2 , |
|
+.Xr hosts_access 5 , |
|
.Xr login.conf 5 , |
|
.Xr moduli 5 , |
|
.Xr sshd_config 5 , |
|
diff -up openssh-7.4p1/sshd.c.tcp_wrappers openssh-7.4p1/sshd.c |
|
--- openssh-7.4p1/sshd.c.tcp_wrappers 2016-12-23 15:36:38.772411196 +0100 |
|
+++ openssh-7.4p1/sshd.c 2016-12-23 15:37:15.032417028 +0100 |
|
@@ -123,6 +123,13 @@ |
|
#include "version.h" |
|
#include "ssherr.h" |
|
|
|
+#ifdef LIBWRAP |
|
+#include <tcpd.h> |
|
+#include <syslog.h> |
|
+int allow_severity; |
|
+int deny_severity; |
|
+#endif /* LIBWRAP */ |
|
+ |
|
/* Re-exec fds */ |
|
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) |
|
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) |
|
@@ -2012,6 +2019,24 @@ main(int ac, char **av) |
|
#ifdef SSH_AUDIT_EVENTS |
|
audit_connection_from(remote_ip, remote_port); |
|
#endif |
|
+#ifdef LIBWRAP |
|
+ allow_severity = options.log_facility|LOG_INFO; |
|
+ deny_severity = options.log_facility|LOG_WARNING; |
|
+ /* Check whether logins are denied from this host. */ |
|
+ if (packet_connection_is_on_socket()) { |
|
+ struct request_info req; |
|
+ |
|
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); |
|
+ fromhost(&req); |
|
+ |
|
+ if (!hosts_access(&req)) { |
|
+ debug("Connection refused by tcp wrapper"); |
|
+ refuse(&req); |
|
+ /* NOTREACHED */ |
|
+ fatal("libwrap refuse returns"); |
|
+ } |
|
+ } |
|
+#endif /* LIBWRAP */ |
|
|
|
/* Log the connection. */ |
|
laddr = get_local_ipaddr(sock_in);
|
|
|