Line
Link Here
|
|
https://anongit.mindrot.org/openssh.git/commit/?id=f2719b7c2b8a |
|
https://anongit.mindrot.org/openssh.git/commit/?id=f2719b7c2b8a |
1 |
https://anongit.mindrot.org/openssh.git/commit/?id=f9696566fb41 |
1 |
https://anongit.mindrot.org/openssh.git/commit/?id=f9696566fb41 |
2 |
-- |
|
|
3 |
configure.ac | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++ |
2 |
configure.ac | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++ |
4 |
sshd.8 | 7 +++++++ |
3 |
sshd.8 | 7 +++++++ |
5 |
sshd.c | 25 +++++++++++++++++++++++ |
4 |
sshd.c | 25 +++++++++++++++++++++++ |
6 |
3 files changed, 89 insertions(+) |
5 |
3 files changed, 89 insertions(+) |
7 |
-- a/configure.ac |
6 |
++ b/configure.ac |
Lines 1380-1385
AC_ARG_WITH([skey],
Link Here
|
1380 |
] |
1380 |
] |
1381 |
) |
1381 |
) |
1382 |
|
1382 |
|
|
|
1383 |
# Check whether user wants TCP wrappers support |
1384 |
TCPW_MSG="no" |
1385 |
AC_ARG_WITH([tcp-wrappers], |
1386 |
[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], |
1387 |
[ |
1388 |
if test "x$withval" != "xno" ; then |
1389 |
saved_LIBS="$LIBS" |
1390 |
saved_LDFLAGS="$LDFLAGS" |
1391 |
saved_CPPFLAGS="$CPPFLAGS" |
1392 |
if test -n "${withval}" && \ |
1393 |
test "x${withval}" != "xyes"; then |
1394 |
if test -d "${withval}/lib"; then |
1395 |
if test -n "${need_dash_r}"; then |
1396 |
LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" |
1397 |
else |
1398 |
LDFLAGS="-L${withval}/lib ${LDFLAGS}" |
1399 |
fi |
1400 |
else |
1401 |
if test -n "${need_dash_r}"; then |
1402 |
LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" |
1403 |
else |
1404 |
LDFLAGS="-L${withval} ${LDFLAGS}" |
1405 |
fi |
1406 |
fi |
1407 |
if test -d "${withval}/include"; then |
1408 |
CPPFLAGS="-I${withval}/include ${CPPFLAGS}" |
1409 |
else |
1410 |
CPPFLAGS="-I${withval} ${CPPFLAGS}" |
1411 |
fi |
1412 |
fi |
1413 |
LIBS="-lwrap $LIBS" |
1414 |
AC_MSG_CHECKING([for libwrap]) |
1415 |
AC_LINK_IFELSE([AC_LANG_PROGRAM([[ |
1416 |
#include <sys/types.h> |
1417 |
#include <sys/socket.h> |
1418 |
#include <netinet/in.h> |
1419 |
#include <tcpd.h> |
1420 |
int deny_severity = 0, allow_severity = 0; |
1421 |
]], [[ |
1422 |
hosts_access(0); |
1423 |
]])], [ |
1424 |
AC_MSG_RESULT([yes]) |
1425 |
AC_DEFINE([LIBWRAP], [1], |
1426 |
[Define if you want |
1427 |
TCP Wrappers support]) |
1428 |
SSHDLIBS="$SSHDLIBS -lwrap" |
1429 |
TCPW_MSG="yes" |
1430 |
], [ |
1431 |
AC_MSG_ERROR([*** libwrap missing]) |
1432 |
|
1433 |
]) |
1434 |
LIBS="$saved_LIBS" |
1435 |
fi |
1436 |
] |
1437 |
) |
1438 |
|
1383 |
# Check whether user wants to use ldns |
1439 |
# Check whether user wants to use ldns |
1384 |
LDNS_MSG="no" |
1440 |
LDNS_MSG="no" |
1385 |
AC_ARG_WITH(ldns, |
1441 |
AC_ARG_WITH(ldns, |
Lines 4829-4834
echo " KerberosV support
Link Here
|
4829 |
echo " SELinux support: $SELINUX_MSG" |
4885 |
echo " SELinux support: $SELINUX_MSG" |
4830 |
echo " Smartcard support: $SCARD_MSG" |
4886 |
echo " Smartcard support: $SCARD_MSG" |
4831 |
echo " S/KEY support: $SKEY_MSG" |
4887 |
echo " S/KEY support: $SKEY_MSG" |
|
|
4888 |
echo " TCP Wrappers support: $TCPW_MSG" |
4832 |
echo " MD5 password support: $MD5_MSG" |
4889 |
echo " MD5 password support: $MD5_MSG" |
4833 |
echo " libedit support: $LIBEDIT_MSG" |
4890 |
echo " libedit support: $LIBEDIT_MSG" |
4834 |
echo " Solaris process contract support: $SPC_MSG" |
4891 |
echo " Solaris process contract support: $SPC_MSG" |
4835 |
-- a/sshd.8 |
4892 |
++ b/sshd.8 |
Lines 851-856
the user's home directory becomes access
Link Here
|
851 |
This file should be writable only by the user, and need not be |
851 |
This file should be writable only by the user, and need not be |
852 |
readable by anyone else. |
852 |
readable by anyone else. |
853 |
.Pp |
853 |
.Pp |
|
|
854 |
.It Pa /etc/hosts.allow |
855 |
.It Pa /etc/hosts.deny |
856 |
Access controls that should be enforced by tcp-wrappers are defined here. |
857 |
Further details are described in |
858 |
.Xr hosts_access 5 . |
859 |
.Pp |
854 |
.It Pa /etc/hosts.equiv |
860 |
.It Pa /etc/hosts.equiv |
855 |
This file is for host-based authentication (see |
861 |
This file is for host-based authentication (see |
856 |
.Xr ssh 1 ) . |
862 |
.Xr ssh 1 ) . |
Lines 954-959
The content of this file is not sensitiv
Link Here
|
954 |
.Xr ssh-keygen 1 , |
960 |
.Xr ssh-keygen 1 , |
955 |
.Xr ssh-keyscan 1 , |
961 |
.Xr ssh-keyscan 1 , |
956 |
.Xr chroot 2 , |
962 |
.Xr chroot 2 , |
|
|
963 |
.Xr hosts_access 5 , |
957 |
.Xr login.conf 5 , |
964 |
.Xr login.conf 5 , |
958 |
.Xr moduli 5 , |
965 |
.Xr moduli 5 , |
959 |
.Xr sshd_config 5 , |
966 |
.Xr sshd_config 5 , |
960 |
-- a/sshd.c |
967 |
++ b/sshd.c |
Lines 123-128
Link Here
|
123 |
#include "ssh-sandbox.h" |
123 |
#include "ssh-sandbox.h" |
124 |
#include "version.h" |
124 |
#include "version.h" |
125 |
|
125 |
|
|
|
126 |
#ifdef LIBWRAP |
127 |
#include <tcpd.h> |
128 |
#include <syslog.h> |
129 |
int allow_severity; |
130 |
int deny_severity; |
131 |
#endif /* LIBWRAP */ |
132 |
|
126 |
#ifndef O_NOCTTY |
133 |
#ifndef O_NOCTTY |
127 |
#define O_NOCTTY 0 |
134 |
#define O_NOCTTY 0 |
128 |
#endif |
135 |
#endif |
Lines 2054-2059
main(int ac, char **av)
Link Here
|
2054 |
#ifdef SSH_AUDIT_EVENTS |
2061 |
#ifdef SSH_AUDIT_EVENTS |
2055 |
audit_connection_from(remote_ip, remote_port); |
2062 |
audit_connection_from(remote_ip, remote_port); |
2056 |
#endif |
2063 |
#endif |
|
|
2064 |
#ifdef LIBWRAP |
2065 |
allow_severity = options.log_facility|LOG_INFO; |
2066 |
deny_severity = options.log_facility|LOG_WARNING; |
2067 |
/* Check whether logins are denied from this host. */ |
2068 |
if (packet_connection_is_on_socket()) { |
2069 |
struct request_info req; |
2070 |
|
2071 |
request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); |
2072 |
fromhost(&req); |
2073 |
|
2074 |
if (!hosts_access(&req)) { |
2075 |
debug("Connection refused by tcp wrapper"); |
2076 |
refuse(&req); |
2077 |
/* NOTREACHED */ |
2078 |
fatal("libwrap refuse returns"); |
2079 |
} |
2080 |
} |
2081 |
#endif /* LIBWRAP */ |
2057 |
|
2082 |
|
2058 |
/* Log the connection. */ |
2083 |
/* Log the connection. */ |
2059 |
verbose("Connection from %s port %d on %s port %d", |
2084 |
verbose("Connection from %s port %d on %s port %d", |