Attachment #391414 for bug #531156

View | Details | Raw Unified | Return to bug 531156
Collapse All | Expand All




 https://anongit.mindrot.org/openssh.git/commit/?id=f2719b7c2b8a
 https://anongit.mindrot.org/openssh.git/commit/?id=f9696566fb41
--
configure.ac |   57 +++++++++++++++++++++++++++++++++++++++++++++++++++++
sshd.8       |    7 +++++++
sshd.c       |   25 +++++++++++++++++++++++
3 files changed, 89 insertions(+)
++ b/configure.ac

	]
)

# Check whether user wants TCP wrappers support
TCPW_MSG="no"
AC_ARG_WITH([tcp-wrappers],
	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
	[
		if test "x$withval" != "xno" ; then
			saved_LIBS="$LIBS"
			saved_LDFLAGS="$LDFLAGS"
			saved_CPPFLAGS="$CPPFLAGS"
			if test -n "${withval}" && \
			    test "x${withval}" != "xyes"; then
				if test -d "${withval}/lib"; then
					if test -n "${need_dash_r}"; then
						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
					else
						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
					fi
				else
					if test -n "${need_dash_r}"; then
						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
					else
						LDFLAGS="-L${withval} ${LDFLAGS}"
					fi
				fi
				if test -d "${withval}/include"; then
					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
				else
					CPPFLAGS="-I${withval} ${CPPFLAGS}"
				fi
			fi
			LIBS="-lwrap $LIBS"
			AC_MSG_CHECKING([for libwrap])
			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <tcpd.h>
int deny_severity = 0, allow_severity = 0;
				]], [[
	hosts_access(0);
				]])], [
					AC_MSG_RESULT([yes])
					AC_DEFINE([LIBWRAP], [1],
						[Define if you want
						TCP Wrappers support])
					SSHDLIBS="$SSHDLIBS -lwrap"
					TCPW_MSG="yes"
				], [
					AC_MSG_ERROR([*** libwrap missing])
				
			])
			LIBS="$saved_LIBS"
		fi
	]
)

# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,

echo "                   SELinux support: $SELINUX_MSG"
echo "                 Smartcard support: $SCARD_MSG"
echo "                     S/KEY support: $SKEY_MSG"
echo "              TCP Wrappers support: $TCPW_MSG"
echo "              MD5 password support: $MD5_MSG"
echo "                   libedit support: $LIBEDIT_MSG"
echo "  Solaris process contract support: $SPC_MSG"
++ b/sshd.8

This file should be writable only by the user, and need not be
readable by anyone else.
.Pp
.It Pa /etc/hosts.allow
.It Pa /etc/hosts.deny
Access controls that should be enforced by tcp-wrappers are defined here.
Further details are described in
.Xr hosts_access 5 .
.Pp
.It Pa /etc/hosts.equiv
This file is for host-based authentication (see
.Xr ssh 1 ) .

.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
.Xr hosts_access 5 ,
.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,
++ b/sshd.c

#include "ssh-sandbox.h"
#include "version.h"

#ifdef LIBWRAP
#include <tcpd.h>
#include <syslog.h>
int allow_severity;
int deny_severity;
#endif /* LIBWRAP */

#ifndef O_NOCTTY
#define O_NOCTTY	0
#endif

#ifdef SSH_AUDIT_EVENTS
	audit_connection_from(remote_ip, remote_port);
#endif
#ifdef LIBWRAP
	allow_severity = options.log_facility|LOG_INFO;
	deny_severity = options.log_facility|LOG_WARNING;
	/* Check whether logins are denied from this host. */
	if (packet_connection_is_on_socket()) {
		struct request_info req;

		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		fromhost(&req);

		if (!hosts_access(&req)) {
			debug("Connection refused by tcp wrapper");
			refuse(&req);
			/* NOTREACHED */
			fatal("libwrap refuse returns");
		}
	}
#endif /* LIBWRAP */

	/* Log the connection. */
	verbose("Connection from %s port %d on %s port %d",

Return to bug 531156

Line Link Here

(-)file_not_specified_in_diff (-4 / +92 lines)
	https://anongit.mindrot.org/openssh.git/commit/?id=f2719b7c2b8a		https://anongit.mindrot.org/openssh.git/commit/?id=f2719b7c2b8a
1	https://anongit.mindrot.org/openssh.git/commit/?id=f9696566fb41	1	https://anongit.mindrot.org/openssh.git/commit/?id=f9696566fb41
2	--
3	configure.ac \| 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++	2	configure.ac \| 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++
4	sshd.8 \| 7 +++++++	3	sshd.8 \| 7 +++++++
5	sshd.c \| 25 +++++++++++++++++++++++	4	sshd.c \| 25 +++++++++++++++++++++++
6	3 files changed, 89 insertions(+)	5	3 files changed, 89 insertions(+)
7	-- a/configure.ac	6	++ b/configure.ac
Lines 1380-1385 AC_ARG_WITH([skey], Link Here
1380	]	1380	]
1381	)	1381	)
1382		1382
		1383	# Check whether user wants TCP wrappers support
		1384	TCPW_MSG="no"
		1385	AC_ARG_WITH([tcp-wrappers],
		1386	[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
		1387	[
		1388	if test "x$withval" != "xno" ; then
		1389	saved_LIBS="$LIBS"
		1390	saved_LDFLAGS="$LDFLAGS"
		1391	saved_CPPFLAGS="$CPPFLAGS"
		1392	if test -n "${withval}" && \
		1393	test "x${withval}" != "xyes"; then
		1394	if test -d "${withval}/lib"; then
		1395	if test -n "${need_dash_r}"; then
		1396	LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
		1397	else
		1398	LDFLAGS="-L${withval}/lib ${LDFLAGS}"
		1399	fi
		1400	else
		1401	if test -n "${need_dash_r}"; then
		1402	LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
		1403	else
		1404	LDFLAGS="-L${withval} ${LDFLAGS}"
		1405	fi
		1406	fi
		1407	if test -d "${withval}/include"; then
		1408	CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
		1409	else
		1410	CPPFLAGS="-I${withval} ${CPPFLAGS}"
		1411	fi
		1412	fi
		1413	LIBS="-lwrap $LIBS"
		1414	AC_MSG_CHECKING([for libwrap])
		1415	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		1416	#include <sys/types.h>
		1417	#include <sys/socket.h>
		1418	#include <netinet/in.h>
		1419	#include <tcpd.h>
		1420	int deny_severity = 0, allow_severity = 0;
		1421	]], [[
		1422	hosts_access(0);
		1423	]])], [
		1424	AC_MSG_RESULT([yes])
		1425	AC_DEFINE([LIBWRAP], [1],
		1426	[Define if you want
		1427	TCP Wrappers support])
		1428	SSHDLIBS="$SSHDLIBS -lwrap"
		1429	TCPW_MSG="yes"
		1430	], [
		1431	AC_MSG_ERROR([*** libwrap missing])
		1432
		1433	])
		1434	LIBS="$saved_LIBS"
		1435	fi
		1436	]
		1437	)
		1438
1383	# Check whether user wants to use ldns	1439	# Check whether user wants to use ldns
1384	LDNS_MSG="no"	1440	LDNS_MSG="no"
1385	AC_ARG_WITH(ldns,	1441	AC_ARG_WITH(ldns,
Lines 4829-4834 echo " KerberosV support Link Here
4829	echo " SELinux support: $SELINUX_MSG"	4885	echo " SELinux support: $SELINUX_MSG"
4830	echo " Smartcard support: $SCARD_MSG"	4886	echo " Smartcard support: $SCARD_MSG"
4831	echo " S/KEY support: $SKEY_MSG"	4887	echo " S/KEY support: $SKEY_MSG"
		4888	echo " TCP Wrappers support: $TCPW_MSG"
4832	echo " MD5 password support: $MD5_MSG"	4889	echo " MD5 password support: $MD5_MSG"
4833	echo " libedit support: $LIBEDIT_MSG"	4890	echo " libedit support: $LIBEDIT_MSG"
4834	echo " Solaris process contract support: $SPC_MSG"	4891	echo " Solaris process contract support: $SPC_MSG"
4835	-- a/sshd.8	4892	++ b/sshd.8
Lines 851-856 the user's home directory becomes access Link Here
851	This file should be writable only by the user, and need not be	851	This file should be writable only by the user, and need not be
852	readable by anyone else.	852	readable by anyone else.
853	.Pp	853	.Pp
		854	.It Pa /etc/hosts.allow
		855	.It Pa /etc/hosts.deny
		856	Access controls that should be enforced by tcp-wrappers are defined here.
		857	Further details are described in
		858	.Xr hosts_access 5 .
		859	.Pp
854	.It Pa /etc/hosts.equiv	860	.It Pa /etc/hosts.equiv
855	This file is for host-based authentication (see	861	This file is for host-based authentication (see
856	.Xr ssh 1 ) .	862	.Xr ssh 1 ) .
Lines 954-959 The content of this file is not sensitiv Link Here
954	.Xr ssh-keygen 1 ,	960	.Xr ssh-keygen 1 ,
955	.Xr ssh-keyscan 1 ,	961	.Xr ssh-keyscan 1 ,
956	.Xr chroot 2 ,	962	.Xr chroot 2 ,
		963	.Xr hosts_access 5 ,
957	.Xr login.conf 5 ,	964	.Xr login.conf 5 ,
958	.Xr moduli 5 ,	965	.Xr moduli 5 ,
959	.Xr sshd_config 5 ,	966	.Xr sshd_config 5 ,
960	-- a/sshd.c	967	++ b/sshd.c
Lines 123-128 Link Here
123	#include "ssh-sandbox.h"	123	#include "ssh-sandbox.h"
124	#include "version.h"	124	#include "version.h"
125		125
		126	#ifdef LIBWRAP
		127	#include <tcpd.h>
		128	#include <syslog.h>
		129	int allow_severity;
		130	int deny_severity;
		131	#endif /* LIBWRAP */
		132
126	#ifndef O_NOCTTY	133	#ifndef O_NOCTTY
127	#define O_NOCTTY 0	134	#define O_NOCTTY 0
128	#endif	135	#endif
Lines 2054-2059 main(int ac, char **av) Link Here
2054	#ifdef SSH_AUDIT_EVENTS	2061	#ifdef SSH_AUDIT_EVENTS
2055	audit_connection_from(remote_ip, remote_port);	2062	audit_connection_from(remote_ip, remote_port);
2056	#endif	2063	#endif
		2064	#ifdef LIBWRAP
		2065	allow_severity = options.log_facility\|LOG_INFO;
		2066	deny_severity = options.log_facility\|LOG_WARNING;
		2067	/* Check whether logins are denied from this host. */
		2068	if (packet_connection_is_on_socket()) {
		2069	struct request_info req;
		2070
		2071	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2072	fromhost(&req);
		2073
		2074	if (!hosts_access(&req)) {
		2075	debug("Connection refused by tcp wrapper");
		2076	refuse(&req);
		2077	/* NOTREACHED */
		2078	fatal("libwrap refuse returns");
		2079	}
		2080	}
		2081	#endif /* LIBWRAP */
2057		2082
2058	/* Log the connection. */	2083	/* Log the connection. */
2059	verbose("Connection from %s port %d on %s port %d",	2084	verbose("Connection from %s port %d on %s port %d",