From 316553ade0f76a568d47c9af09555a4a3b16e112 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Tue, 16 Jan 2018 15:06:23 +0100 Subject: [PATCH] Remove TCP wrappers support (#1530163) --- ...sh-6.7p1-debian-restore-tcp-wrappers.patch | 140 ------------------ openssh.spec | 6 - 2 files changed, 146 deletions(-) delete mode 100644 openssh-6.7p1-debian-restore-tcp-wrappers.patch diff --git a/openssh-6.7p1-debian-restore-tcp-wrappers.patch b/openssh-6.7p1-debian-restore-tcp-wrappers.patch deleted file mode 100644 index 2bd6fdf..0000000 --- a/openssh-6.7p1-debian-restore-tcp-wrappers.patch +++ /dev/null @@ -1,140 +0,0 @@ -diff -up openssh-7.4p1/configure.ac.tcp_wrappers openssh-7.4p1/configure.ac ---- openssh-7.4p1/configure.ac.tcp_wrappers 2016-12-23 15:36:38.745411192 +0100 -+++ openssh-7.4p1/configure.ac 2016-12-23 15:36:38.777411197 +0100 -@@ -1491,6 +1491,62 @@ AC_ARG_WITH([skey], - ] - ) - -+# Check whether user wants TCP wrappers support -+TCPW_MSG="no" -+AC_ARG_WITH([tcp-wrappers], -+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], -+ [ -+ if test "x$withval" != "xno" ; then -+ saved_LIBS="$LIBS" -+ saved_LDFLAGS="$LDFLAGS" -+ saved_CPPFLAGS="$CPPFLAGS" -+ if test -n "${withval}" && \ -+ test "x${withval}" != "xyes"; then -+ if test -d "${withval}/lib"; then -+ if test -n "${need_dash_r}"; then -+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" -+ else -+ LDFLAGS="-L${withval}/lib ${LDFLAGS}" -+ fi -+ else -+ if test -n "${need_dash_r}"; then -+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" -+ else -+ LDFLAGS="-L${withval} ${LDFLAGS}" -+ fi -+ fi -+ if test -d "${withval}/include"; then -+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}" -+ else -+ CPPFLAGS="-I${withval} ${CPPFLAGS}" -+ fi -+ fi -+ LIBS="-lwrap $LIBS" -+ AC_MSG_CHECKING([for libwrap]) -+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[ -+#include -+#include -+#include -+#include -+int deny_severity = 0, allow_severity = 0; -+ ]], [[ -+ hosts_access(0); -+ ]])], [ -+ AC_MSG_RESULT([yes]) -+ AC_DEFINE([LIBWRAP], [1], -+ [Define if you want -+ TCP Wrappers support]) -+ SSHDLIBS="$SSHDLIBS -lwrap" -+ TCPW_MSG="yes" -+ ], [ -+ AC_MSG_ERROR([*** libwrap missing]) -+ -+ ]) -+ LIBS="$saved_LIBS" -+ fi -+ ] -+) -+ - # Check whether user wants to use ldns - LDNS_MSG="no" - AC_ARG_WITH(ldns, -@@ -5214,6 +5270,7 @@ echo " KerberosV support - echo " SELinux support: $SELINUX_MSG" - echo " Smartcard support: $SCARD_MSG" - echo " S/KEY support: $SKEY_MSG" -+echo " TCP Wrappers support: $TCPW_MSG" - echo " MD5 password support: $MD5_MSG" - echo " libedit support: $LIBEDIT_MSG" - echo " libldns support: $LDNS_MSG" -diff -up openssh-7.4p1/sshd.8.tcp_wrappers openssh-7.4p1/sshd.8 ---- openssh-7.4p1/sshd.8.tcp_wrappers 2016-12-23 15:36:38.759411194 +0100 -+++ openssh-7.4p1/sshd.8 2016-12-23 15:36:38.778411197 +0100 -@@ -836,6 +836,12 @@ the user's home directory becomes access - This file should be writable only by the user, and need not be - readable by anyone else. - .Pp -+.It Pa /etc/hosts.allow -+.It Pa /etc/hosts.deny -+Access controls that should be enforced by tcp-wrappers are defined here. -+Further details are described in -+.Xr hosts_access 5 . -+.Pp - .It Pa /etc/hosts.equiv - This file is for host-based authentication (see - .Xr ssh 1 ) . -@@ -960,6 +966,7 @@ IPv6 address can be used everywhere wher - .Xr ssh-keygen 1 , - .Xr ssh-keyscan 1 , - .Xr chroot 2 , -+.Xr hosts_access 5 , - .Xr login.conf 5 , - .Xr moduli 5 , - .Xr sshd_config 5 , -diff -up openssh-7.4p1/sshd.c.tcp_wrappers openssh-7.4p1/sshd.c ---- openssh-7.4p1/sshd.c.tcp_wrappers 2016-12-23 15:36:38.772411196 +0100 -+++ openssh-7.4p1/sshd.c 2016-12-23 15:37:15.032417028 +0100 -@@ -123,6 +123,13 @@ - #include "version.h" - #include "ssherr.h" - -+#ifdef LIBWRAP -+#include -+#include -+int allow_severity; -+int deny_severity; -+#endif /* LIBWRAP */ -+ - /* Re-exec fds */ - #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) - #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) -@@ -2012,6 +2019,24 @@ main(int ac, char **av) - #ifdef SSH_AUDIT_EVENTS - audit_connection_from(remote_ip, remote_port); - #endif -+#ifdef LIBWRAP -+ allow_severity = options.log_facility|LOG_INFO; -+ deny_severity = options.log_facility|LOG_WARNING; -+ /* Check whether logins are denied from this host. */ -+ if (packet_connection_is_on_socket()) { -+ struct request_info req; -+ -+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); -+ fromhost(&req); -+ -+ if (!hosts_access(&req)) { -+ debug("Connection refused by tcp wrapper"); -+ refuse(&req); -+ /* NOTREACHED */ -+ fatal("libwrap refuse returns"); -+ } -+ } -+#endif /* LIBWRAP */ - - /* Log the connection. */ - laddr = get_local_ipaddr(sock_in); diff --git a/openssh.spec b/openssh.spec index 7ad44b5..7735185 100644 --- a/openssh.spec +++ b/openssh.spec @@ -205,9 +205,6 @@ Patch918: openssh-6.6.1p1-log-in-chroot.patch Patch919: openssh-6.6.1p1-scp-non-existing-directory.patch # Config parser shouldn't accept ip/port syntax (#1130733) Patch920: openssh-6.6.1p1-ip-port-config-parser.patch -# restore tcp wrappers support, based on Debian patch -# https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html -Patch921: openssh-6.7p1-debian-restore-tcp-wrappers.patch # apply upstream patch and make sshd -T more consistent (#1187521) Patch922: openssh-6.8p1-sshdT-output.patch # Add sftp option to force mode of created files (#1191055) @@ -258,7 +255,6 @@ BuildRequires: autoconf, automake, perl-interpreter, perl-generators, zlib-devel BuildRequires: audit-libs-devel >= 2.0.5 BuildRequires: util-linux, groff BuildRequires: pam-devel -BuildRequires: tcp_wrappers-devel BuildRequires: fipscheck-devel >= 1.3.0 BuildRequires: openssl-devel >= 0.9.8j BuildRequires: perl-podlators @@ -444,7 +440,6 @@ popd %patch919 -p1 -b .scp %patch920 -p1 -b .config %patch802 -p1 -b .GSSAPIEnablek5users -%patch921 -p1 -b .tcp_wrappers %patch922 -p1 -b .sshdt %patch926 -p1 -b .sftp-force-mode %patch928 -p1 -b .memory @@ -515,7 +510,6 @@ fi --sysconfdir=%{_sysconfdir}/ssh \ --libexecdir=%{_libexecdir}/openssh \ --datadir=%{_datadir}/openssh \ - --with-tcp-wrappers \ --with-default-path=/usr/local/bin:/usr/bin \ --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \ --with-privsep-path=%{_var}/empty/sshd \