vishalmishra434 / rpms / openssh

Forked from rpms/openssh 3 months ago
Clone
Jakub Jelen 132f8f
diff -up openssh-6.8p1/configure.ac.tcp_wrappers openssh-6.8p1/configure.ac
Jakub Jelen 132f8f
--- openssh-6.8p1/configure.ac.tcp_wrappers	2015-03-18 13:05:57.365071779 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/configure.ac	2015-03-18 13:05:57.408071673 +0100
Jakub Jelen 132f8f
@@ -1440,6 +1440,62 @@ AC_ARG_WITH([skey],
Petr Lautrbach f29c87
 	]
Petr Lautrbach f29c87
 )
Petr Lautrbach f29c87
 
Petr Lautrbach f29c87
+# Check whether user wants TCP wrappers support
Petr Lautrbach f29c87
+TCPW_MSG="no"
Petr Lautrbach f29c87
+AC_ARG_WITH([tcp-wrappers],
Petr Lautrbach f29c87
+	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
Petr Lautrbach f29c87
+	[
Petr Lautrbach f29c87
+		if test "x$withval" != "xno" ; then
Petr Lautrbach f29c87
+			saved_LIBS="$LIBS"
Petr Lautrbach f29c87
+			saved_LDFLAGS="$LDFLAGS"
Petr Lautrbach f29c87
+			saved_CPPFLAGS="$CPPFLAGS"
Petr Lautrbach f29c87
+			if test -n "${withval}" && \
Petr Lautrbach f29c87
+			    test "x${withval}" != "xyes"; then
Petr Lautrbach f29c87
+				if test -d "${withval}/lib"; then
Petr Lautrbach f29c87
+					if test -n "${need_dash_r}"; then
Petr Lautrbach f29c87
+						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
Petr Lautrbach f29c87
+					else
Petr Lautrbach f29c87
+						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
Petr Lautrbach f29c87
+					fi
Petr Lautrbach f29c87
+				else
Petr Lautrbach f29c87
+					if test -n "${need_dash_r}"; then
Petr Lautrbach f29c87
+						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
Petr Lautrbach f29c87
+					else
Petr Lautrbach f29c87
+						LDFLAGS="-L${withval} ${LDFLAGS}"
Petr Lautrbach f29c87
+					fi
Petr Lautrbach f29c87
+				fi
Petr Lautrbach f29c87
+				if test -d "${withval}/include"; then
Petr Lautrbach f29c87
+					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
Petr Lautrbach f29c87
+				else
Petr Lautrbach f29c87
+					CPPFLAGS="-I${withval} ${CPPFLAGS}"
Petr Lautrbach f29c87
+				fi
Petr Lautrbach f29c87
+			fi
Petr Lautrbach f29c87
+			LIBS="-lwrap $LIBS"
Petr Lautrbach f29c87
+			AC_MSG_CHECKING([for libwrap])
Petr Lautrbach f29c87
+			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
Petr Lautrbach f29c87
+#include <sys/types.h>
Petr Lautrbach f29c87
+#include <sys/socket.h>
Petr Lautrbach f29c87
+#include <netinet/in.h>
Petr Lautrbach f29c87
+#include <tcpd.h>
Petr Lautrbach f29c87
+int deny_severity = 0, allow_severity = 0;
Petr Lautrbach f29c87
+				]], [[
Petr Lautrbach f29c87
+	hosts_access(0);
Petr Lautrbach f29c87
+				]])], [
Petr Lautrbach f29c87
+					AC_MSG_RESULT([yes])
Petr Lautrbach f29c87
+					AC_DEFINE([LIBWRAP], [1],
Petr Lautrbach f29c87
+						[Define if you want
Petr Lautrbach f29c87
+						TCP Wrappers support])
Petr Lautrbach f29c87
+					SSHDLIBS="$SSHDLIBS -lwrap"
Petr Lautrbach f29c87
+					TCPW_MSG="yes"
Petr Lautrbach f29c87
+				], [
Petr Lautrbach f29c87
+					AC_MSG_ERROR([*** libwrap missing])
Petr Lautrbach f29c87
+				
Petr Lautrbach f29c87
+			])
Petr Lautrbach f29c87
+			LIBS="$saved_LIBS"
Petr Lautrbach f29c87
+		fi
Petr Lautrbach f29c87
+	]
Petr Lautrbach f29c87
+)
Petr Lautrbach f29c87
+
Petr Lautrbach f29c87
 # Check whether user wants to use ldns
Petr Lautrbach f29c87
 LDNS_MSG="no"
Petr Lautrbach f29c87
 AC_ARG_WITH(ldns,
Jakub Jelen 132f8f
@@ -5026,6 +5082,7 @@ echo "                 KerberosV support
Petr Lautrbach f29c87
 echo "                   SELinux support: $SELINUX_MSG"
Petr Lautrbach f29c87
 echo "                 Smartcard support: $SCARD_MSG"
Petr Lautrbach f29c87
 echo "                     S/KEY support: $SKEY_MSG"
Petr Lautrbach f29c87
+echo "              TCP Wrappers support: $TCPW_MSG"
Petr Lautrbach f29c87
 echo "              MD5 password support: $MD5_MSG"
Petr Lautrbach f29c87
 echo "                   libedit support: $LIBEDIT_MSG"
Petr Lautrbach f29c87
 echo "  Solaris process contract support: $SPC_MSG"
Jakub Jelen 132f8f
diff -up openssh-6.8p1/sshd.8.tcp_wrappers openssh-6.8p1/sshd.8
Jakub Jelen 132f8f
--- openssh-6.8p1/sshd.8.tcp_wrappers	2015-03-18 13:05:57.377071749 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/sshd.8	2015-03-18 13:05:57.408071673 +0100
Petr Lautrbach f29c87
@@ -858,6 +858,12 @@ the user's home directory becomes access
Petr Lautrbach f29c87
 This file should be writable only by the user, and need not be
Petr Lautrbach f29c87
 readable by anyone else.
Petr Lautrbach f29c87
 .Pp
Petr Lautrbach f29c87
+.It Pa /etc/hosts.allow
Petr Lautrbach f29c87
+.It Pa /etc/hosts.deny
Petr Lautrbach f29c87
+Access controls that should be enforced by tcp-wrappers are defined here.
Petr Lautrbach f29c87
+Further details are described in
Petr Lautrbach f29c87
+.Xr hosts_access 5 .
Petr Lautrbach f29c87
+.Pp
Petr Lautrbach f29c87
 .It Pa /etc/hosts.equiv
Petr Lautrbach f29c87
 This file is for host-based authentication (see
Petr Lautrbach f29c87
 .Xr ssh 1 ) .
Petr Lautrbach f29c87
@@ -981,6 +987,7 @@ IPv6 address can be used everywhere wher
Petr Lautrbach f29c87
 .Xr ssh-keygen 1 ,
Petr Lautrbach f29c87
 .Xr ssh-keyscan 1 ,
Petr Lautrbach f29c87
 .Xr chroot 2 ,
Petr Lautrbach f29c87
+.Xr hosts_access 5 ,
Petr Lautrbach f29c87
 .Xr login.conf 5 ,
Petr Lautrbach f29c87
 .Xr moduli 5 ,
Petr Lautrbach f29c87
 .Xr sshd_config 5 ,
Jakub Jelen 132f8f
diff -up openssh-6.8p1/sshd.c.tcp_wrappers openssh-6.8p1/sshd.c
Jakub Jelen 132f8f
--- openssh-6.8p1/sshd.c.tcp_wrappers	2015-03-18 13:05:57.402071688 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/sshd.c	2015-03-18 13:06:48.199947136 +0100
Jakub Jelen 132f8f
@@ -125,6 +125,13 @@
Petr Lautrbach f29c87
 #include "version.h"
Jakub Jelen 132f8f
 #include "ssherr.h"
Petr Lautrbach f29c87
 
Petr Lautrbach f29c87
+#ifdef LIBWRAP
Petr Lautrbach f29c87
+#include <tcpd.h>
Petr Lautrbach f29c87
+#include <syslog.h>
Petr Lautrbach f29c87
+int allow_severity;
Petr Lautrbach f29c87
+int deny_severity;
Petr Lautrbach f29c87
+#endif /* LIBWRAP */
Petr Lautrbach f29c87
+
Petr Lautrbach f29c87
 #ifndef O_NOCTTY
Petr Lautrbach f29c87
 #define O_NOCTTY	0
Petr Lautrbach f29c87
 #endif
Jakub Jelen 132f8f
@@ -2150,6 +2157,24 @@ main(int ac, char **av)
Petr Lautrbach f29c87
 #ifdef SSH_AUDIT_EVENTS
Petr Lautrbach f29c87
 	audit_connection_from(remote_ip, remote_port);
Petr Lautrbach f29c87
 #endif
Petr Lautrbach f29c87
+#ifdef LIBWRAP
Petr Lautrbach f29c87
+	allow_severity = options.log_facility|LOG_INFO;
Petr Lautrbach f29c87
+	deny_severity = options.log_facility|LOG_WARNING;
Petr Lautrbach f29c87
+	/* Check whether logins are denied from this host. */
Petr Lautrbach f29c87
+	if (packet_connection_is_on_socket()) {
Petr Lautrbach f29c87
+		struct request_info req;
Petr Lautrbach f29c87
+
Petr Lautrbach f29c87
+		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
Petr Lautrbach f29c87
+		fromhost(&req;;
Petr Lautrbach f29c87
+
Petr Lautrbach f29c87
+		if (!hosts_access(&req)) {
Petr Lautrbach f29c87
+			debug("Connection refused by tcp wrapper");
Petr Lautrbach f29c87
+			refuse(&req;;
Petr Lautrbach f29c87
+			/* NOTREACHED */
Petr Lautrbach f29c87
+			fatal("libwrap refuse returns");
Petr Lautrbach f29c87
+		}
Petr Lautrbach f29c87
+	}
Petr Lautrbach f29c87
+#endif /* LIBWRAP */
Petr Lautrbach f29c87
 
Petr Lautrbach f29c87
 	/* Log the connection. */
Petr Lautrbach f29c87
 	verbose("Connection from %s port %d on %s port %d",