slackware-current/source/n/openssh/openssh.tcp_wrappers.diff

140 lines
3.9 KiB
Diff
Raw Normal View History

--- ./sshd.8.orig 2022-02-23 05:31:11.000000000 -0600
+++ ./sshd.8 2022-02-24 13:28:36.533888569 -0600
@@ -908,6 +908,12 @@
This file should be writable only by the user, and need not be
readable by anyone else.
.Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
.It Pa /etc/hosts.equiv
This file is for host-based authentication (see
.Xr ssh 1 ) .
@@ -1010,6 +1016,7 @@
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
+.Xr hosts_access 5 ,
.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,
--- ./configure.ac.orig 2022-02-23 05:31:11.000000000 -0600
+++ ./configure.ac 2022-02-24 13:30:10.535883370 -0600
@@ -1599,6 +1599,62 @@
AC_MSG_RESULT([no])
fi
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+ [
+ if test "x$withval" != "xno" ; then
+ saved_LIBS="$LIBS"
+ saved_LDFLAGS="$LDFLAGS"
+ saved_CPPFLAGS="$CPPFLAGS"
+ if test -n "${withval}" && \
+ test "x${withval}" != "xyes"; then
+ if test -d "${withval}/lib"; then
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ else
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval} ${LDFLAGS}"
+ fi
+ fi
+ if test -d "${withval}/include"; then
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+ else
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
+ fi
+ fi
+ LIBS="-lwrap -lnsl $LIBS"
+ AC_MSG_CHECKING([for libwrap])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+ ]], [[
+ hosts_access(0);
+ ]])], [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([LIBWRAP], [1],
+ [Define if you want
+ TCP Wrappers support])
+ SSHDLIBS="$SSHDLIBS -lwrap -lnsl"
+ TCPW_MSG="yes"
+ ], [
+ AC_MSG_ERROR([*** libwrap missing])
+
+ ])
+ LIBS="$saved_LIBS"
+ fi
+ ]
+)
+
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
@@ -5593,6 +5649,7 @@
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
+echo " TCP Wrappers support: $TCPW_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " libldns support: $LDNS_MSG"
echo " Solaris process contract support: $SPC_MSG"
--- ./sshd.c.orig 2022-02-23 05:31:11.000000000 -0600
+++ ./sshd.c 2022-02-24 13:28:36.533888569 -0600
@@ -129,6 +129,13 @@
#include "srclimit.h"
#include "dh.h"
Sat Feb 15 02:42:28 UTC 2020 a/kernel-generic-5.4.20-x86_64-1.txz: Upgraded. a/kernel-huge-5.4.20-x86_64-1.txz: Upgraded. a/kernel-modules-5.4.20-x86_64-1.txz: Upgraded. a/shadow-4.8.1-x86_64-3.txz: Rebuilt. a/util-linux-2.35.1-x86_64-3.txz: Rebuilt. d/kernel-headers-5.4.20-x86-1.txz: Upgraded. k/kernel-source-5.4.20-noarch-1.txz: Upgraded. l/ConsoleKit2-1.2.1-x86_64-2.txz: Rebuilt. l/dconf-editor-3.34.4-x86_64-1.txz: Upgraded. l/libxkbcommon-0.10.0-x86_64-1.txz: Added. l/openal-soft-1.19.1-x86_64-1.txz: Added. l/qt5-5.13.2-x86_64-1.txz: Added. Thanks to alienBOB. n/openssh-8.2p1-x86_64-1.txz: Upgraded. Potentially incompatible changes: * ssh(1), sshd(8): the removal of "ssh-rsa" from the accepted CASignatureAlgorithms list. * ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1 from the default key exchange proposal for both the client and server. * ssh-keygen(1): the command-line options related to the generation and screening of safe prime numbers used by the diffie-hellman-group-exchange-* key exchange algorithms have changed. Most options have been folded under the -O flag. * sshd(8): the sshd listener process title visible to ps(1) has changed to include information about the number of connections that are currently attempting authentication and the limits configured by MaxStartups. x/mesa-19.3.4-x86_64-2.txz: Rebuilt. Reverted "[PATCH] swr: Fix GCC 4.9 checks." which makes X fail to start with an illegal instruction on some hardware. isolinux/initrd.img: Rebuilt. kernels/*: Upgraded. testing/packages/PAM/ConsoleKit2-1.2.1-x86_64-2_pam.txz: Rebuilt. Rebuilt with --disable-libcgmanager to fix setting limits on PAM. Thanks to gattocarlo. testing/packages/PAM/openssh-8.2p1-x86_64-1_pam.txz: Upgraded. testing/packages/PAM/shadow-4.8.1-x86_64-3_pam.txz: Rebuilt. Moved some of the /etc/pam.d/ file to the util-linux package where they more properly belong. testing/packages/PAM/util-linux-2.35.1-x86_64-3_pam.txz: Rebuilt. Added some /etc/pam.d/ files previously in the shadow package. Changed /etc/pam.d/{chfn,chsh} and made chfn/chsh setuid root to fix them. Added /etc/pam.d/{runuser,runuser-l}. usb-and-pxe-installers/usbboot.img: Rebuilt.
2020-02-15 03:42:28 +01:00
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
Sat Feb 15 02:42:28 UTC 2020 a/kernel-generic-5.4.20-x86_64-1.txz: Upgraded. a/kernel-huge-5.4.20-x86_64-1.txz: Upgraded. a/kernel-modules-5.4.20-x86_64-1.txz: Upgraded. a/shadow-4.8.1-x86_64-3.txz: Rebuilt. a/util-linux-2.35.1-x86_64-3.txz: Rebuilt. d/kernel-headers-5.4.20-x86-1.txz: Upgraded. k/kernel-source-5.4.20-noarch-1.txz: Upgraded. l/ConsoleKit2-1.2.1-x86_64-2.txz: Rebuilt. l/dconf-editor-3.34.4-x86_64-1.txz: Upgraded. l/libxkbcommon-0.10.0-x86_64-1.txz: Added. l/openal-soft-1.19.1-x86_64-1.txz: Added. l/qt5-5.13.2-x86_64-1.txz: Added. Thanks to alienBOB. n/openssh-8.2p1-x86_64-1.txz: Upgraded. Potentially incompatible changes: * ssh(1), sshd(8): the removal of "ssh-rsa" from the accepted CASignatureAlgorithms list. * ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1 from the default key exchange proposal for both the client and server. * ssh-keygen(1): the command-line options related to the generation and screening of safe prime numbers used by the diffie-hellman-group-exchange-* key exchange algorithms have changed. Most options have been folded under the -O flag. * sshd(8): the sshd listener process title visible to ps(1) has changed to include information about the number of connections that are currently attempting authentication and the limits configured by MaxStartups. x/mesa-19.3.4-x86_64-2.txz: Rebuilt. Reverted "[PATCH] swr: Fix GCC 4.9 checks." which makes X fail to start with an illegal instruction on some hardware. isolinux/initrd.img: Rebuilt. kernels/*: Upgraded. testing/packages/PAM/ConsoleKit2-1.2.1-x86_64-2_pam.txz: Rebuilt. Rebuilt with --disable-libcgmanager to fix setting limits on PAM. Thanks to gattocarlo. testing/packages/PAM/openssh-8.2p1-x86_64-1_pam.txz: Upgraded. testing/packages/PAM/shadow-4.8.1-x86_64-3_pam.txz: Rebuilt. Moved some of the /etc/pam.d/ file to the util-linux package where they more properly belong. testing/packages/PAM/util-linux-2.35.1-x86_64-3_pam.txz: Rebuilt. Added some /etc/pam.d/ files previously in the shadow package. Changed /etc/pam.d/{chfn,chsh} and made chfn/chsh setuid root to fix them. Added /etc/pam.d/{runuser,runuser-l}. usb-and-pxe-installers/usbboot.img: Rebuilt.
2020-02-15 03:42:28 +01:00
+
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
Sat Feb 15 02:42:28 UTC 2020 a/kernel-generic-5.4.20-x86_64-1.txz: Upgraded. a/kernel-huge-5.4.20-x86_64-1.txz: Upgraded. a/kernel-modules-5.4.20-x86_64-1.txz: Upgraded. a/shadow-4.8.1-x86_64-3.txz: Rebuilt. a/util-linux-2.35.1-x86_64-3.txz: Rebuilt. d/kernel-headers-5.4.20-x86-1.txz: Upgraded. k/kernel-source-5.4.20-noarch-1.txz: Upgraded. l/ConsoleKit2-1.2.1-x86_64-2.txz: Rebuilt. l/dconf-editor-3.34.4-x86_64-1.txz: Upgraded. l/libxkbcommon-0.10.0-x86_64-1.txz: Added. l/openal-soft-1.19.1-x86_64-1.txz: Added. l/qt5-5.13.2-x86_64-1.txz: Added. Thanks to alienBOB. n/openssh-8.2p1-x86_64-1.txz: Upgraded. Potentially incompatible changes: * ssh(1), sshd(8): the removal of "ssh-rsa" from the accepted CASignatureAlgorithms list. * ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1 from the default key exchange proposal for both the client and server. * ssh-keygen(1): the command-line options related to the generation and screening of safe prime numbers used by the diffie-hellman-group-exchange-* key exchange algorithms have changed. Most options have been folded under the -O flag. * sshd(8): the sshd listener process title visible to ps(1) has changed to include information about the number of connections that are currently attempting authentication and the limits configured by MaxStartups. x/mesa-19.3.4-x86_64-2.txz: Rebuilt. Reverted "[PATCH] swr: Fix GCC 4.9 checks." which makes X fail to start with an illegal instruction on some hardware. isolinux/initrd.img: Rebuilt. kernels/*: Upgraded. testing/packages/PAM/ConsoleKit2-1.2.1-x86_64-2_pam.txz: Rebuilt. Rebuilt with --disable-libcgmanager to fix setting limits on PAM. Thanks to gattocarlo. testing/packages/PAM/openssh-8.2p1-x86_64-1_pam.txz: Upgraded. testing/packages/PAM/shadow-4.8.1-x86_64-3_pam.txz: Rebuilt. Moved some of the /etc/pam.d/ file to the util-linux package where they more properly belong. testing/packages/PAM/util-linux-2.35.1-x86_64-3_pam.txz: Rebuilt. Added some /etc/pam.d/ files previously in the shadow package. Changed /etc/pam.d/{chfn,chsh} and made chfn/chsh setuid root to fix them. Added /etc/pam.d/{runuser,runuser-l}. usb-and-pxe-installers/usbboot.img: Rebuilt.
2020-02-15 03:42:28 +01:00
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2138,6 +2145,26 @@
Thu Apr 18 21:13:58 UTC 2019 ap/ksh93-20190416_7d7bba3e-x86_64-1.txz: Upgraded. ap/sysstat-12.1.4-x86_64-1.txz: Upgraded. l/gvfs-1.40.1-x86_64-2.txz: Rebuilt. Recompiled against libcdio-2.1.0. l/icu4c-64.2-x86_64-1.txz: Upgraded. l/libcddb-1.3.2-x86_64-6.txz: Rebuilt. Recompiled against libcdio-2.1.0. l/libcdio-2.1.0-x86_64-1.txz: Upgraded. Shared library .so-version bump. l/libcdio-paranoia-10.2+2.0.0-x86_64-2.txz: Rebuilt. Recompiled against libcdio-2.1.0. l/zstd-1.4.0-x86_64-1.txz: Upgraded. n/dhcpcd-7.2.0-x86_64-1.txz: Upgraded. n/dovecot-2.3.5.2-x86_64-1.txz: Upgraded. This update fixes a security issue: Trying to login with 8bit username containing invalid UTF8 input causes auth process to crash if auth policy is enabled. This could be used rather easily to cause a DoS. Similar crash also happens during mail delivery when using invalid UTF8 in From or Subject header when OX push notification driver is used. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10691 (* Security fix *) n/nghttp2-1.38.0-x86_64-1.txz: Upgraded. n/openssh-8.0p1-x86_64-1.txz: Upgraded. This release contains a mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 (* Security fix *) xap/MPlayer-20190418-x86_64-1.txz: Upgraded. Compiled against libcdio-2.1.0. xap/audacious-plugins-3.10.1-x86_64-2.txz: Rebuilt. Recompiled against libcdio-2.1.0. extra/pure-alsa-system/MPlayer-20190418-x86_64-1_alsa.txz: Upgraded. Compiled against libcdio-2.1.0. extra/pure-alsa-system/audacious-plugins-3.10.1-x86_64-2_alsa.txz: Rebuilt. Recompiled against libcdio-2.1.0.
2019-04-18 23:13:58 +02:00
the_active_state = ssh;
ssh_packet_set_server(ssh);
+/* Moved LIBWRAP check here */
+#ifdef LIBWRAP
+ allow_severity = options.log_facility|LOG_INFO;
+ deny_severity = options.log_facility|LOG_WARNING;
+ /* Check whether logins are denied from this host. */
Thu Apr 18 21:13:58 UTC 2019 ap/ksh93-20190416_7d7bba3e-x86_64-1.txz: Upgraded. ap/sysstat-12.1.4-x86_64-1.txz: Upgraded. l/gvfs-1.40.1-x86_64-2.txz: Rebuilt. Recompiled against libcdio-2.1.0. l/icu4c-64.2-x86_64-1.txz: Upgraded. l/libcddb-1.3.2-x86_64-6.txz: Rebuilt. Recompiled against libcdio-2.1.0. l/libcdio-2.1.0-x86_64-1.txz: Upgraded. Shared library .so-version bump. l/libcdio-paranoia-10.2+2.0.0-x86_64-2.txz: Rebuilt. Recompiled against libcdio-2.1.0. l/zstd-1.4.0-x86_64-1.txz: Upgraded. n/dhcpcd-7.2.0-x86_64-1.txz: Upgraded. n/dovecot-2.3.5.2-x86_64-1.txz: Upgraded. This update fixes a security issue: Trying to login with 8bit username containing invalid UTF8 input causes auth process to crash if auth policy is enabled. This could be used rather easily to cause a DoS. Similar crash also happens during mail delivery when using invalid UTF8 in From or Subject header when OX push notification driver is used. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10691 (* Security fix *) n/nghttp2-1.38.0-x86_64-1.txz: Upgraded. n/openssh-8.0p1-x86_64-1.txz: Upgraded. This release contains a mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 (* Security fix *) xap/MPlayer-20190418-x86_64-1.txz: Upgraded. Compiled against libcdio-2.1.0. xap/audacious-plugins-3.10.1-x86_64-2.txz: Rebuilt. Recompiled against libcdio-2.1.0. extra/pure-alsa-system/MPlayer-20190418-x86_64-1_alsa.txz: Upgraded. Compiled against libcdio-2.1.0. extra/pure-alsa-system/audacious-plugins-3.10.1-x86_64-2_alsa.txz: Rebuilt. Recompiled against libcdio-2.1.0.
2019-04-18 23:13:58 +02:00
+ if (ssh_packet_connection_is_on_socket(ssh)) { /* This check must be after ssh_packet_set_connection() */
+ struct request_info req;
+
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+ fromhost(&req);
+
+ if (!hosts_access(&req)) {
+ debug("Connection refused by tcp wrapper");
+ refuse(&req);
+ /* NOTREACHED */
+ fatal("libwrap refuse returns");
+ }
+ }
+#endif /* LIBWRAP */
+
check_ip_options(ssh);
/* Prepare the channels layer */