vishalmishra434 / rpms / openssh

Forked from rpms/openssh a month ago
Clone
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/configure.ac.tcp_wrappers openssh-7.4p1/configure.ac
Jakub Jelen 6cf9b8
--- openssh-7.4p1/configure.ac.tcp_wrappers	2016-12-23 15:36:38.745411192 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/configure.ac	2016-12-23 15:36:38.777411197 +0100
Jakub Jelen 6cf9b8
@@ -1491,6 +1491,62 @@ AC_ARG_WITH([skey],
Petr Lautrbach f29c87
 	]
Petr Lautrbach f29c87
 )
Petr Lautrbach f29c87
 
Petr Lautrbach f29c87
+# Check whether user wants TCP wrappers support
Petr Lautrbach f29c87
+TCPW_MSG="no"
Petr Lautrbach f29c87
+AC_ARG_WITH([tcp-wrappers],
Petr Lautrbach f29c87
+	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
Petr Lautrbach f29c87
+	[
Petr Lautrbach f29c87
+		if test "x$withval" != "xno" ; then
Petr Lautrbach f29c87
+			saved_LIBS="$LIBS"
Petr Lautrbach f29c87
+			saved_LDFLAGS="$LDFLAGS"
Petr Lautrbach f29c87
+			saved_CPPFLAGS="$CPPFLAGS"
Petr Lautrbach f29c87
+			if test -n "${withval}" && \
Petr Lautrbach f29c87
+			    test "x${withval}" != "xyes"; then
Petr Lautrbach f29c87
+				if test -d "${withval}/lib"; then
Petr Lautrbach f29c87
+					if test -n "${need_dash_r}"; then
Petr Lautrbach f29c87
+						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
Petr Lautrbach f29c87
+					else
Petr Lautrbach f29c87
+						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
Petr Lautrbach f29c87
+					fi
Petr Lautrbach f29c87
+				else
Petr Lautrbach f29c87
+					if test -n "${need_dash_r}"; then
Petr Lautrbach f29c87
+						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
Petr Lautrbach f29c87
+					else
Petr Lautrbach f29c87
+						LDFLAGS="-L${withval} ${LDFLAGS}"
Petr Lautrbach f29c87
+					fi
Petr Lautrbach f29c87
+				fi
Petr Lautrbach f29c87
+				if test -d "${withval}/include"; then
Petr Lautrbach f29c87
+					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
Petr Lautrbach f29c87
+				else
Petr Lautrbach f29c87
+					CPPFLAGS="-I${withval} ${CPPFLAGS}"
Petr Lautrbach f29c87
+				fi
Petr Lautrbach f29c87
+			fi
Petr Lautrbach f29c87
+			LIBS="-lwrap $LIBS"
Petr Lautrbach f29c87
+			AC_MSG_CHECKING([for libwrap])
Petr Lautrbach f29c87
+			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
Petr Lautrbach f29c87
+#include <sys/types.h>
Petr Lautrbach f29c87
+#include <sys/socket.h>
Petr Lautrbach f29c87
+#include <netinet/in.h>
Petr Lautrbach f29c87
+#include <tcpd.h>
Petr Lautrbach f29c87
+int deny_severity = 0, allow_severity = 0;
Petr Lautrbach f29c87
+				]], [[
Petr Lautrbach f29c87
+	hosts_access(0);
Petr Lautrbach f29c87
+				]])], [
Petr Lautrbach f29c87
+					AC_MSG_RESULT([yes])
Petr Lautrbach f29c87
+					AC_DEFINE([LIBWRAP], [1],
Petr Lautrbach f29c87
+						[Define if you want
Petr Lautrbach f29c87
+						TCP Wrappers support])
Petr Lautrbach f29c87
+					SSHDLIBS="$SSHDLIBS -lwrap"
Petr Lautrbach f29c87
+					TCPW_MSG="yes"
Petr Lautrbach f29c87
+				], [
Petr Lautrbach f29c87
+					AC_MSG_ERROR([*** libwrap missing])
Petr Lautrbach f29c87
+				
Petr Lautrbach f29c87
+			])
Petr Lautrbach f29c87
+			LIBS="$saved_LIBS"
Petr Lautrbach f29c87
+		fi
Petr Lautrbach f29c87
+	]
Petr Lautrbach f29c87
+)
Petr Lautrbach f29c87
+
Petr Lautrbach f29c87
 # Check whether user wants to use ldns
Petr Lautrbach f29c87
 LDNS_MSG="no"
Petr Lautrbach f29c87
 AC_ARG_WITH(ldns,
Jakub Jelen 6cf9b8
@@ -5214,6 +5270,7 @@ echo "                 KerberosV support
Petr Lautrbach f29c87
 echo "                   SELinux support: $SELINUX_MSG"
Petr Lautrbach f29c87
 echo "                 Smartcard support: $SCARD_MSG"
Petr Lautrbach f29c87
 echo "                     S/KEY support: $SKEY_MSG"
Petr Lautrbach f29c87
+echo "              TCP Wrappers support: $TCPW_MSG"
Petr Lautrbach f29c87
 echo "              MD5 password support: $MD5_MSG"
Petr Lautrbach f29c87
 echo "                   libedit support: $LIBEDIT_MSG"
Jakub Jelen 17b491
 echo "                   libldns support: $LDNS_MSG"
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/sshd.8.tcp_wrappers openssh-7.4p1/sshd.8
Jakub Jelen 6cf9b8
--- openssh-7.4p1/sshd.8.tcp_wrappers	2016-12-23 15:36:38.759411194 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/sshd.8	2016-12-23 15:36:38.778411197 +0100
Jakub Jelen 6cf9b8
@@ -836,6 +836,12 @@ the user's home directory becomes access
Petr Lautrbach f29c87
 This file should be writable only by the user, and need not be
Petr Lautrbach f29c87
 readable by anyone else.
Petr Lautrbach f29c87
 .Pp
Petr Lautrbach f29c87
+.It Pa /etc/hosts.allow
Petr Lautrbach f29c87
+.It Pa /etc/hosts.deny
Petr Lautrbach f29c87
+Access controls that should be enforced by tcp-wrappers are defined here.
Petr Lautrbach f29c87
+Further details are described in
Petr Lautrbach f29c87
+.Xr hosts_access 5 .
Petr Lautrbach f29c87
+.Pp
Petr Lautrbach f29c87
 .It Pa /etc/hosts.equiv
Petr Lautrbach f29c87
 This file is for host-based authentication (see
Petr Lautrbach f29c87
 .Xr ssh 1 ) .
Jakub Jelen 6cf9b8
@@ -960,6 +966,7 @@ IPv6 address can be used everywhere wher
Petr Lautrbach f29c87
 .Xr ssh-keygen 1 ,
Petr Lautrbach f29c87
 .Xr ssh-keyscan 1 ,
Petr Lautrbach f29c87
 .Xr chroot 2 ,
Petr Lautrbach f29c87
+.Xr hosts_access 5 ,
Petr Lautrbach f29c87
 .Xr login.conf 5 ,
Petr Lautrbach f29c87
 .Xr moduli 5 ,
Petr Lautrbach f29c87
 .Xr sshd_config 5 ,
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/sshd.c.tcp_wrappers openssh-7.4p1/sshd.c
Jakub Jelen 6cf9b8
--- openssh-7.4p1/sshd.c.tcp_wrappers	2016-12-23 15:36:38.772411196 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/sshd.c	2016-12-23 15:37:15.032417028 +0100
Jakub Jelen 6cf9b8
@@ -123,6 +123,13 @@
Petr Lautrbach f29c87
 #include "version.h"
Jakub Jelen 132f8f
 #include "ssherr.h"
Petr Lautrbach f29c87
 
Petr Lautrbach f29c87
+#ifdef LIBWRAP
Petr Lautrbach f29c87
+#include <tcpd.h>
Petr Lautrbach f29c87
+#include <syslog.h>
Petr Lautrbach f29c87
+int allow_severity;
Petr Lautrbach f29c87
+int deny_severity;
Petr Lautrbach f29c87
+#endif /* LIBWRAP */
Petr Lautrbach f29c87
+
Jakub Jelen 6cf9b8
 /* Re-exec fds */
Jakub Jelen 6cf9b8
 #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
Jakub Jelen 6cf9b8
 #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
Jakub Jelen 6cf9b8
@@ -2012,6 +2019,24 @@ main(int ac, char **av)
Petr Lautrbach f29c87
 #ifdef SSH_AUDIT_EVENTS
Petr Lautrbach f29c87
 	audit_connection_from(remote_ip, remote_port);
Petr Lautrbach f29c87
 #endif
Petr Lautrbach f29c87
+#ifdef LIBWRAP
Petr Lautrbach f29c87
+	allow_severity = options.log_facility|LOG_INFO;
Petr Lautrbach f29c87
+	deny_severity = options.log_facility|LOG_WARNING;
Petr Lautrbach f29c87
+	/* Check whether logins are denied from this host. */
Petr Lautrbach f29c87
+	if (packet_connection_is_on_socket()) {
Petr Lautrbach f29c87
+		struct request_info req;
Petr Lautrbach f29c87
+
Petr Lautrbach f29c87
+		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
Petr Lautrbach f29c87
+		fromhost(&req;;
Petr Lautrbach f29c87
+
Petr Lautrbach f29c87
+		if (!hosts_access(&req)) {
Petr Lautrbach f29c87
+			debug("Connection refused by tcp wrapper");
Petr Lautrbach f29c87
+			refuse(&req;;
Petr Lautrbach f29c87
+			/* NOTREACHED */
Petr Lautrbach f29c87
+			fatal("libwrap refuse returns");
Petr Lautrbach f29c87
+		}
Petr Lautrbach f29c87
+	}
Petr Lautrbach f29c87
+#endif /* LIBWRAP */
Petr Lautrbach f29c87
 
Petr Lautrbach f29c87
 	/* Log the connection. */
Jakub Jelen 535d34
 	laddr = get_local_ipaddr(sock_in);