Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 391414 Details for
Bug 531156
net-misc/openssh-6.7_p1-r1 does not support tcp-wrappers anymore
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Restore TCP Wrapper support
openssh-6.7p1-libwrap.diff (text/plain), 4.25 KB, created by
mancha
on 2014-12-11 05:40:27 UTC
(
hide
)
Description:
Restore TCP Wrapper support
Filename:
MIME Type:
Creator:
mancha
Created:
2014-12-11 05:40:27 UTC
Size:
4.25 KB
patch
obsolete
>From 8c59bae0e4bdc0e3456d1802b391370bdf9975f3 Mon Sep 17 00:00:00 2001 >From: mancha <mancha1 AT zoho DOT com> >Date: Mon, 6 Oct 2014 >Subject: Re-introduce TCP Wrappers support > >Support for TCP Wrappers was dropped as of OpenSSH 6.7. This patch >resurrects the feature. > >Relevant upstream commits: > > https://anongit.mindrot.org/openssh.git/commit/?id=f2719b7c2b8a > https://anongit.mindrot.org/openssh.git/commit/?id=f9696566fb41 > >--- > configure.ac | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++ > sshd.8 | 7 +++++++ > sshd.c | 25 +++++++++++++++++++++++ > 3 files changed, 89 insertions(+) > >--- a/configure.ac >+++ b/configure.ac >@@ -1380,6 +1380,62 @@ AC_ARG_WITH([skey], > ] > ) > >+# Check whether user wants TCP wrappers support >+TCPW_MSG="no" >+AC_ARG_WITH([tcp-wrappers], >+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], >+ [ >+ if test "x$withval" != "xno" ; then >+ saved_LIBS="$LIBS" >+ saved_LDFLAGS="$LDFLAGS" >+ saved_CPPFLAGS="$CPPFLAGS" >+ if test -n "${withval}" && \ >+ test "x${withval}" != "xyes"; then >+ if test -d "${withval}/lib"; then >+ if test -n "${need_dash_r}"; then >+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" >+ else >+ LDFLAGS="-L${withval}/lib ${LDFLAGS}" >+ fi >+ else >+ if test -n "${need_dash_r}"; then >+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" >+ else >+ LDFLAGS="-L${withval} ${LDFLAGS}" >+ fi >+ fi >+ if test -d "${withval}/include"; then >+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}" >+ else >+ CPPFLAGS="-I${withval} ${CPPFLAGS}" >+ fi >+ fi >+ LIBS="-lwrap $LIBS" >+ AC_MSG_CHECKING([for libwrap]) >+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[ >+#include <sys/types.h> >+#include <sys/socket.h> >+#include <netinet/in.h> >+#include <tcpd.h> >+int deny_severity = 0, allow_severity = 0; >+ ]], [[ >+ hosts_access(0); >+ ]])], [ >+ AC_MSG_RESULT([yes]) >+ AC_DEFINE([LIBWRAP], [1], >+ [Define if you want >+ TCP Wrappers support]) >+ SSHDLIBS="$SSHDLIBS -lwrap" >+ TCPW_MSG="yes" >+ ], [ >+ AC_MSG_ERROR([*** libwrap missing]) >+ >+ ]) >+ LIBS="$saved_LIBS" >+ fi >+ ] >+) >+ > # Check whether user wants to use ldns > LDNS_MSG="no" > AC_ARG_WITH(ldns, >@@ -4829,6 +4885,7 @@ echo " KerberosV support > echo " SELinux support: $SELINUX_MSG" > echo " Smartcard support: $SCARD_MSG" > echo " S/KEY support: $SKEY_MSG" >+echo " TCP Wrappers support: $TCPW_MSG" > echo " MD5 password support: $MD5_MSG" > echo " libedit support: $LIBEDIT_MSG" > echo " Solaris process contract support: $SPC_MSG" >--- a/sshd.8 >+++ b/sshd.8 >@@ -851,6 +851,12 @@ the user's home directory becomes access > This file should be writable only by the user, and need not be > readable by anyone else. > .Pp >+.It Pa /etc/hosts.allow >+.It Pa /etc/hosts.deny >+Access controls that should be enforced by tcp-wrappers are defined here. >+Further details are described in >+.Xr hosts_access 5 . >+.Pp > .It Pa /etc/hosts.equiv > This file is for host-based authentication (see > .Xr ssh 1 ) . >@@ -954,6 +960,7 @@ The content of this file is not sensitiv > .Xr ssh-keygen 1 , > .Xr ssh-keyscan 1 , > .Xr chroot 2 , >+.Xr hosts_access 5 , > .Xr login.conf 5 , > .Xr moduli 5 , > .Xr sshd_config 5 , >--- a/sshd.c >+++ b/sshd.c >@@ -123,6 +123,13 @@ > #include "ssh-sandbox.h" > #include "version.h" > >+#ifdef LIBWRAP >+#include <tcpd.h> >+#include <syslog.h> >+int allow_severity; >+int deny_severity; >+#endif /* LIBWRAP */ >+ > #ifndef O_NOCTTY > #define O_NOCTTY 0 > #endif >@@ -2054,6 +2061,24 @@ main(int ac, char **av) > #ifdef SSH_AUDIT_EVENTS > audit_connection_from(remote_ip, remote_port); > #endif >+#ifdef LIBWRAP >+ allow_severity = options.log_facility|LOG_INFO; >+ deny_severity = options.log_facility|LOG_WARNING; >+ /* Check whether logins are denied from this host. */ >+ if (packet_connection_is_on_socket()) { >+ struct request_info req; >+ >+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); >+ fromhost(&req); >+ >+ if (!hosts_access(&req)) { >+ debug("Connection refused by tcp wrapper"); >+ refuse(&req); >+ /* NOTREACHED */ >+ fatal("libwrap refuse returns"); >+ } >+ } >+#endif /* LIBWRAP */ > > /* Log the connection. */ > verbose("Connection from %s port %d on %s port %d",
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=391414">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 531156
: 391414
