Remove TCP wrappers support (#1530163)

openssh-6.7p1-debian-restore-tcp-wrappers.patch

@@ -1,140 +0,0 @@
-diff -up openssh-7.4p1/configure.ac.tcp_wrappers openssh-7.4p1/configure.ac
---- openssh-7.4p1/configure.ac.tcp_wrappers	2016-12-23 15:36:38.745411192 +0100
-+++ openssh-7.4p1/configure.ac	2016-12-23 15:36:38.777411197 +0100
-@@ -1491,6 +1491,62 @@ AC_ARG_WITH([skey],
- 	]
- )
- 
-+# Check whether user wants TCP wrappers support
-+TCPW_MSG="no"
-+AC_ARG_WITH([tcp-wrappers],
-+	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
-+	[
-+		if test "x$withval" != "xno" ; then
-+			saved_LIBS="$LIBS"
-+			saved_LDFLAGS="$LDFLAGS"
-+			saved_CPPFLAGS="$CPPFLAGS"
-+			if test -n "${withval}" && \
-+			    test "x${withval}" != "xyes"; then
-+				if test -d "${withval}/lib"; then
-+					if test -n "${need_dash_r}"; then
-+						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
-+					else
-+						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
-+					fi
-+				else
-+					if test -n "${need_dash_r}"; then
-+						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
-+					else
-+						LDFLAGS="-L${withval} ${LDFLAGS}"
-+					fi
-+				fi
-+				if test -d "${withval}/include"; then
-+					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
-+				else
-+					CPPFLAGS="-I${withval} ${CPPFLAGS}"
-+				fi
-+			fi
-+			LIBS="-lwrap $LIBS"
-+			AC_MSG_CHECKING([for libwrap])
-+			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-+#include <sys/types.h>
-+#include <sys/socket.h>
-+#include <netinet/in.h>
-+#include <tcpd.h>
-+int deny_severity = 0, allow_severity = 0;
-+				]], [[
-+	hosts_access(0);
-+				]])], [
-+					AC_MSG_RESULT([yes])
-+					AC_DEFINE([LIBWRAP], [1],
-+						[Define if you want
-+						TCP Wrappers support])
-+					SSHDLIBS="$SSHDLIBS -lwrap"
-+					TCPW_MSG="yes"
-+				], [
-+					AC_MSG_ERROR([*** libwrap missing])
-+				
-+			])
-+			LIBS="$saved_LIBS"
-+		fi
-+	]
-+)
-+
- # Check whether user wants to use ldns
- LDNS_MSG="no"
- AC_ARG_WITH(ldns,
-@@ -5214,6 +5270,7 @@ echo "                 KerberosV support
- echo "                   SELinux support: $SELINUX_MSG"
- echo "                 Smartcard support: $SCARD_MSG"
- echo "                     S/KEY support: $SKEY_MSG"
-+echo "              TCP Wrappers support: $TCPW_MSG"
- echo "              MD5 password support: $MD5_MSG"
- echo "                   libedit support: $LIBEDIT_MSG"
- echo "                   libldns support: $LDNS_MSG"
-diff -up openssh-7.4p1/sshd.8.tcp_wrappers openssh-7.4p1/sshd.8
---- openssh-7.4p1/sshd.8.tcp_wrappers	2016-12-23 15:36:38.759411194 +0100
-+++ openssh-7.4p1/sshd.8	2016-12-23 15:36:38.778411197 +0100
-@@ -836,6 +836,12 @@ the user's home directory becomes access
- This file should be writable only by the user, and need not be
- readable by anyone else.
- .Pp
-+.It Pa /etc/hosts.allow
-+.It Pa /etc/hosts.deny
-+Access controls that should be enforced by tcp-wrappers are defined here.
-+Further details are described in
-+.Xr hosts_access 5 .
-+.Pp
- .It Pa /etc/hosts.equiv
- This file is for host-based authentication (see
- .Xr ssh 1 ) .
-@@ -960,6 +966,7 @@ IPv6 address can be used everywhere wher
- .Xr ssh-keygen 1 ,
- .Xr ssh-keyscan 1 ,
- .Xr chroot 2 ,
-+.Xr hosts_access 5 ,
- .Xr login.conf 5 ,
- .Xr moduli 5 ,
- .Xr sshd_config 5 ,
-diff -up openssh-7.4p1/sshd.c.tcp_wrappers openssh-7.4p1/sshd.c
---- openssh-7.4p1/sshd.c.tcp_wrappers	2016-12-23 15:36:38.772411196 +0100
-+++ openssh-7.4p1/sshd.c	2016-12-23 15:37:15.032417028 +0100
-@@ -123,6 +123,13 @@
- #include "version.h"
- #include "ssherr.h"
- 
-+#ifdef LIBWRAP
-+#include <tcpd.h>
-+#include <syslog.h>
-+int allow_severity;
-+int deny_severity;
-+#endif /* LIBWRAP */
-+
- /* Re-exec fds */
- #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
- #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
-@@ -2012,6 +2019,24 @@ main(int ac, char **av)
- #ifdef SSH_AUDIT_EVENTS
- 	audit_connection_from(remote_ip, remote_port);
- #endif
-+#ifdef LIBWRAP
-+	allow_severity = options.log_facility|LOG_INFO;
-+	deny_severity = options.log_facility|LOG_WARNING;
-+	/* Check whether logins are denied from this host. */
-+	if (packet_connection_is_on_socket()) {
-+		struct request_info req;
-+
-+		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
-+		fromhost(&req);
-+
-+		if (!hosts_access(&req)) {
-+			debug("Connection refused by tcp wrapper");
-+			refuse(&req);
-+			/* NOTREACHED */
-+			fatal("libwrap refuse returns");
-+		}
-+	}
-+#endif /* LIBWRAP */
- 
- 	/* Log the connection. */
- 	laddr = get_local_ipaddr(sock_in);

openssh.spec

@@ -205,9 +205,6 @@ Patch918: openssh-6.6.1p1-log-in-chroot.patch
 Patch919: openssh-6.6.1p1-scp-non-existing-directory.patch
 # Config parser shouldn't accept ip/port syntax (#1130733)
 Patch920: openssh-6.6.1p1-ip-port-config-parser.patch
-# restore tcp wrappers support, based on Debian patch
-# https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
-Patch921: openssh-6.7p1-debian-restore-tcp-wrappers.patch
 # apply upstream patch and make sshd -T more consistent (#1187521)
 Patch922: openssh-6.8p1-sshdT-output.patch
 # Add sftp option to force mode of created files (#1191055)
@@ -258,7 +255,6 @@ BuildRequires: autoconf, automake, perl-interpreter, perl-generators, zlib-devel
 BuildRequires: audit-libs-devel >= 2.0.5
 BuildRequires: util-linux, groff
 BuildRequires: pam-devel
-BuildRequires: tcp_wrappers-devel
 BuildRequires: fipscheck-devel >= 1.3.0
 BuildRequires: openssl-devel >= 0.9.8j
 BuildRequires: perl-podlators
@@ -444,7 +440,6 @@ popd
 %patch919 -p1 -b .scp
 %patch920 -p1 -b .config
 %patch802 -p1 -b .GSSAPIEnablek5users
-%patch921 -p1 -b .tcp_wrappers
 %patch922 -p1 -b .sshdt
 %patch926 -p1 -b .sftp-force-mode
 %patch928 -p1 -b .memory
@@ -515,7 +510,6 @@ fi
 	--sysconfdir=%{_sysconfdir}/ssh \
 	--libexecdir=%{_libexecdir}/openssh \
 	--datadir=%{_datadir}/openssh \
-	--with-tcp-wrappers \
 	--with-default-path=/usr/local/bin:/usr/bin \
 	--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
 	--with-privsep-path=%{_var}/empty/sshd \