rcolebaugh / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
b58e57
diff -up openssh-7.4p1/configure.ac.tcp_wrappers openssh-7.4p1/configure.ac
b58e57
--- openssh-7.4p1/configure.ac.tcp_wrappers	2016-12-23 15:36:38.745411192 +0100
b58e57
+++ openssh-7.4p1/configure.ac	2016-12-23 15:36:38.777411197 +0100
b58e57
@@ -1491,6 +1491,62 @@ AC_ARG_WITH([skey],
b58e57
 	]
b58e57
 )
b58e57
 
b58e57
+# Check whether user wants TCP wrappers support
b58e57
+TCPW_MSG="no"
b58e57
+AC_ARG_WITH([tcp-wrappers],
b58e57
+	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
b58e57
+	[
b58e57
+		if test "x$withval" != "xno" ; then
b58e57
+			saved_LIBS="$LIBS"
b58e57
+			saved_LDFLAGS="$LDFLAGS"
b58e57
+			saved_CPPFLAGS="$CPPFLAGS"
b58e57
+			if test -n "${withval}" && \
b58e57
+			    test "x${withval}" != "xyes"; then
b58e57
+				if test -d "${withval}/lib"; then
b58e57
+					if test -n "${need_dash_r}"; then
b58e57
+						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
b58e57
+					else
b58e57
+						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
b58e57
+					fi
b58e57
+				else
b58e57
+					if test -n "${need_dash_r}"; then
b58e57
+						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
b58e57
+					else
b58e57
+						LDFLAGS="-L${withval} ${LDFLAGS}"
b58e57
+					fi
b58e57
+				fi
b58e57
+				if test -d "${withval}/include"; then
b58e57
+					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
b58e57
+				else
b58e57
+					CPPFLAGS="-I${withval} ${CPPFLAGS}"
b58e57
+				fi
b58e57
+			fi
b58e57
+			LIBS="-lwrap $LIBS"
b58e57
+			AC_MSG_CHECKING([for libwrap])
b58e57
+			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
b58e57
+#include <sys/types.h>
b58e57
+#include <sys/socket.h>
b58e57
+#include <netinet/in.h>
b58e57
+#include <tcpd.h>
b58e57
+int deny_severity = 0, allow_severity = 0;
b58e57
+				]], [[
b58e57
+	hosts_access(0);
b58e57
+				]])], [
b58e57
+					AC_MSG_RESULT([yes])
b58e57
+					AC_DEFINE([LIBWRAP], [1],
b58e57
+						[Define if you want
b58e57
+						TCP Wrappers support])
b58e57
+					SSHDLIBS="$SSHDLIBS -lwrap"
b58e57
+					TCPW_MSG="yes"
b58e57
+				], [
b58e57
+					AC_MSG_ERROR([*** libwrap missing])
b58e57
+				
b58e57
+			])
b58e57
+			LIBS="$saved_LIBS"
b58e57
+		fi
b58e57
+	]
b58e57
+)
b58e57
+
b58e57
 # Check whether user wants to use ldns
b58e57
 LDNS_MSG="no"
b58e57
 AC_ARG_WITH(ldns,
b58e57
@@ -5214,6 +5270,7 @@ echo "                 KerberosV support
b58e57
 echo "                   SELinux support: $SELINUX_MSG"
b58e57
 echo "                 Smartcard support: $SCARD_MSG"
b58e57
 echo "                     S/KEY support: $SKEY_MSG"
b58e57
+echo "              TCP Wrappers support: $TCPW_MSG"
b58e57
 echo "              MD5 password support: $MD5_MSG"
b58e57
 echo "                   libedit support: $LIBEDIT_MSG"
b58e57
 echo "  Solaris process contract support: $SPC_MSG"
b58e57
diff -up openssh-7.4p1/sshd.8.tcp_wrappers openssh-7.4p1/sshd.8
b58e57
--- openssh-7.4p1/sshd.8.tcp_wrappers	2016-12-23 15:36:38.759411194 +0100
b58e57
+++ openssh-7.4p1/sshd.8	2016-12-23 15:36:38.778411197 +0100
b58e57
@@ -836,6 +836,12 @@ the user's home directory becomes access
b58e57
 This file should be writable only by the user, and need not be
b58e57
 readable by anyone else.
b58e57
 .Pp
b58e57
+.It Pa /etc/hosts.allow
b58e57
+.It Pa /etc/hosts.deny
b58e57
+Access controls that should be enforced by tcp-wrappers are defined here.
b58e57
+Further details are described in
b58e57
+.Xr hosts_access 5 .
b58e57
+.Pp
b58e57
 .It Pa /etc/hosts.equiv
b58e57
 This file is for host-based authentication (see
b58e57
 .Xr ssh 1 ) .
b58e57
@@ -960,6 +966,7 @@ IPv6 address can be used everywhere wher
b58e57
 .Xr ssh-keygen 1 ,
b58e57
 .Xr ssh-keyscan 1 ,
b58e57
 .Xr chroot 2 ,
b58e57
+.Xr hosts_access 5 ,
b58e57
 .Xr login.conf 5 ,
b58e57
 .Xr moduli 5 ,
b58e57
 .Xr sshd_config 5 ,
b58e57
diff -up openssh-7.4p1/sshd.c.tcp_wrappers openssh-7.4p1/sshd.c
b58e57
--- openssh-7.4p1/sshd.c.tcp_wrappers	2016-12-23 15:36:38.772411196 +0100
b58e57
+++ openssh-7.4p1/sshd.c	2016-12-23 15:37:15.032417028 +0100
b58e57
@@ -123,6 +123,13 @@
b58e57
 #include "version.h"
b58e57
 #include "ssherr.h"
b58e57
 
b58e57
+#ifdef LIBWRAP
b58e57
+#include <tcpd.h>
b58e57
+#include <syslog.h>
b58e57
+int allow_severity;
b58e57
+int deny_severity;
b58e57
+#endif /* LIBWRAP */
b58e57
+
b58e57
 /* Re-exec fds */
b58e57
 #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
b58e57
 #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
b58e57
@@ -2012,6 +2019,24 @@ main(int ac, char **av)
b58e57
 #ifdef SSH_AUDIT_EVENTS
b58e57
 	audit_connection_from(remote_ip, remote_port);
b58e57
 #endif
b58e57
+#ifdef LIBWRAP
b58e57
+	allow_severity = options.log_facility|LOG_INFO;
b58e57
+	deny_severity = options.log_facility|LOG_WARNING;
b58e57
+	/* Check whether logins are denied from this host. */
b58e57
+	if (packet_connection_is_on_socket()) {
b58e57
+		struct request_info req;
b58e57
+
b58e57
+		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
b58e57
+		fromhost(&req;;
b58e57
+
b58e57
+		if (!hosts_access(&req)) {
b58e57
+			debug("Connection refused by tcp wrapper");
b58e57
+			refuse(&req;;
b58e57
+			/* NOTREACHED */
b58e57
+			fatal("libwrap refuse returns");
b58e57
+		}
b58e57
+	}
b58e57
+#endif /* LIBWRAP */
b58e57
 
b58e57
 	/* Log the connection. */
b58e57
 	laddr = get_local_ipaddr(sock_in);