restore tcp wrappers support, based on Debian patch

https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
2015-01-20 17:06:46 +01:00 · 2015-01-20 17:06:46 +01:00 · f29c8784c6
commit f29c8784c6
parent 1900351913
2 changed files with 145 additions and 0 deletions
--- a/openssh-6.7p1-debian-restore-tcp-wrappers.patch
+++ b/openssh-6.7p1-debian-restore-tcp-wrappers.patch
@ -0,0 +1,140 @@
 diff -up openssh-6.7p1/configure.ac.tcp_wrappers openssh-6.7p1/configure.ac
 --- openssh-6.7p1/configure.ac.tcp_wrappers	2015-01-20 16:58:39.829111746 +0100
 +++ openssh-6.7p1/configure.ac	2015-01-20 16:58:39.870111159 +0100
@@ -1404,6 +1404,62 @@ AC_ARG_WITH([skey],
 	]
 )
 +# Check whether user wants TCP wrappers support
 +TCPW_MSG="no"
 +AC_ARG_WITH([tcp-wrappers],
 +	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
 +	[
 +		if test "x$withval" != "xno" ; then
 +			saved_LIBS="$LIBS"
 +			saved_LDFLAGS="$LDFLAGS"
 +			saved_CPPFLAGS="$CPPFLAGS"
 +			if test -n "${withval}" && \
 +			    test "x${withval}" != "xyes"; then
 +				if test -d "${withval}/lib"; then
 +					if test -n "${need_dash_r}"; then
 +						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
 +					else
 +						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
 +					fi
 +				else
 +					if test -n "${need_dash_r}"; then
 +						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
 +					else
 +						LDFLAGS="-L${withval} ${LDFLAGS}"
 +					fi
 +				fi
 +				if test -d "${withval}/include"; then
 +					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
 +				else
 +					CPPFLAGS="-I${withval} ${CPPFLAGS}"
 +				fi
 +			fi
 +			LIBS="-lwrap $LIBS"
 +			AC_MSG_CHECKING([for libwrap])
 +			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
 +#include <sys/types.h>
 +#include <sys/socket.h>
 +#include <netinet/in.h>
 +#include <tcpd.h>
 +int deny_severity = 0, allow_severity = 0;
 +				]], [[
 +	hosts_access(0);
 +				]])], [
 +					AC_MSG_RESULT([yes])
 +					AC_DEFINE([LIBWRAP], [1],
 +						[Define if you want
 +						TCP Wrappers support])
 +					SSHDLIBS="$SSHDLIBS -lwrap"
 +					TCPW_MSG="yes"
 +				], [
 +					AC_MSG_ERROR([*** libwrap missing])
 +				
 +			])
 +			LIBS="$saved_LIBS"
 +		fi
 +	]
 +)
 +
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -4959,6 +5015,7 @@ echo "                 KerberosV support
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 +echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
 diff -up openssh-6.7p1/sshd.8.tcp_wrappers openssh-6.7p1/sshd.8
 --- openssh-6.7p1/sshd.8.tcp_wrappers	2015-01-20 16:58:39.838111617 +0100
 +++ openssh-6.7p1/sshd.8	2015-01-20 16:58:39.871111145 +0100
@@ -858,6 +858,12 @@ the user's home directory becomes access
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
 +.It Pa /etc/hosts.allow
 +.It Pa /etc/hosts.deny
 +Access controls that should be enforced by tcp-wrappers are defined here.
 +Further details are described in
 +.Xr hosts_access 5 .
 +.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -981,6 +987,7 @@ IPv6 address can be used everywhere wher
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
 +.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
 diff -up openssh-6.7p1/sshd.c.tcp_wrappers openssh-6.7p1/sshd.c
 --- openssh-6.7p1/sshd.c.tcp_wrappers	2015-01-20 16:58:39.863111259 +0100
 +++ openssh-6.7p1/sshd.c	2015-01-20 16:59:12.992636776 +0100
@@ -123,6 +123,13 @@
 #include "ssh-sandbox.h"
 #include "version.h"
 +#ifdef LIBWRAP
 +#include <tcpd.h>
 +#include <syslog.h>
 +int allow_severity;
 +int deny_severity;
 +#endif /* LIBWRAP */
 +
 #ifndef O_NOCTTY
 #define O_NOCTTY	0
 #endif
@@ -2078,6 +2085,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
 	audit_connection_from(remote_ip, remote_port);
 #endif
 +#ifdef LIBWRAP
 +	allow_severity = options.log_facility|LOG_INFO;
 +	deny_severity = options.log_facility|LOG_WARNING;
 +	/* Check whether logins are denied from this host. */
 +	if (packet_connection_is_on_socket()) {
 +		struct request_info req;
 +
 +		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
 +		fromhost(&req);
 +
 +		if (!hosts_access(&req)) {
 +			debug("Connection refused by tcp wrapper");
 +			refuse(&req);
 +			/* NOTREACHED */
 +			fatal("libwrap refuse returns");
 +		}
 +	}
 +#endif /* LIBWRAP */
 	/* Log the connection. */
 	verbose("Connection from %s port %d on %s port %d",
--- a/openssh.spec
+++ b/openssh.spec
@ -219,6 +219,10 @@ Patch918: openssh-6.6.1p1-log-in-chroot.patch
 Patch919: openssh-6.6.1p1-scp-non-existing-directory.patch
 # Config parser shouldn't accept ip/port syntax (#1130733)
 Patch920: openssh-6.6.1p1-ip-port-config-parser.patch
 # restore tcp wrappers support, based on Debian patch
 # https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
 Patch921: openssh-6.7p1-debian-restore-tcp-wrappers.patch
 License: BSD
 Group: Applications/Internet
@ -424,6 +428,7 @@ popd
 %patch919 -p1 -b .scp
 %patch920 -p1 -b .config
 %patch802 -p1 -b .GSSAPIEnablek5users
 %patch921 -p1 -b .tcp_wrappers
 %patch200 -p1 -b .audit
 %patch700 -p1 -b .fips