D29975.id88125.diff
No OneTemporary
Actions

Size

4 KB

Referenced Files

None

Subscribers

None

D29975.id88125.diff
View Options

	Index: INSTALL
	===================================================================
	--- INSTALL
	+++ INSTALL
	@@ -79,6 +79,15 @@

	http://www.jmknoble.net/software/x11-ssh-askpass/

	+TCP Wrappers:
	+
	+If you wish to use the TCP wrappers functionality you will need at least
	+tcpd.h and libwrap.a, either in the standard include and library paths,
	+or in the directory specified by --with-tcp-wrappers. Version 7.6 is
	+known to work.
	+
	+http://ftp.porcupine.org/pub/security/index.html
	+
	LibEdit:

	sftp supports command-line editing via NetBSD's libedit. If your platform
	@@ -197,6 +206,9 @@
	--with-osfsia, --without-osfsia will enable or disable OSF1's Security
	Integration Architecture. The default for OSF1 machines is enable.

	+--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow\|deny)
	+support.
	+
	--with-md5-passwords will enable the use of MD5 passwords. Enable this
	if your operating system uses MD5 passwords and the system crypt() does
	not support them directly (see the crypt(3/3c) man page). If enabled, the
	Index: configure.ac
	===================================================================
	--- configure.ac
	+++ configure.ac
	@@ -1566,6 +1566,61 @@
	AC_MSG_RESULT([no])
	fi

	+# Check whether user wants TCP wrappers support
	+TCPW_MSG="no"
	+AC_ARG_WITH([tcp-wrappers],
	+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
	+ [
	+ if test "x$withval" != "xno" ; then
	+ saved_LIBS="$LIBS"
	+ saved_LDFLAGS="$LDFLAGS"
	+ saved_CPPFLAGS="$CPPFLAGS"
	+ if test -n "${withval}" && \
	+ test "x${withval}" != "xyes"; then
	+ if test -d "${withval}/lib"; then
	+ if test -n "${need_dash_r}"; then
	+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
	+ else
	+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
	+ fi
	+ else
	+ if test -n "${need_dash_r}"; then
	+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
	+ else
	+ LDFLAGS="-L${withval} ${LDFLAGS}"
	+ fi
	+ fi
	+ if test -d "${withval}/include"; then
	+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
	+ else
	+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
	+ fi
	+ fi
	+ LIBS="-lwrap $LIBS"
	+ AC_MSG_CHECKING([for libwrap])
	+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
	+#include <sys/types.h>
	+#include <sys/socket.h>
	+#include <netinet/in.h>
	+#include <tcpd.h>
	+int deny_severity = 0, allow_severity = 0;
	+ ]], [[
	+ hosts_access(0);
	+ ]])], [
	+ AC_MSG_RESULT([yes])
	+ AC_DEFINE([LIBWRAP], [1],
	+ [Define if you want
	+ TCP Wrappers support])
	+ SSHDLIBS="$SSHDLIBS -lwrap"
	+ TCPW_MSG="yes"
	+ ], [
	+ AC_MSG_ERROR([*** libwrap missing])
	+ ])
	+ LIBS="$saved_LIBS"
	+ fi
	+ ]
	+)
	+
	# Check whether user wants to use ldns
	LDNS_MSG="no"
	AC_ARG_WITH(ldns,
	@@ -5500,6 +5555,7 @@
	echo " OSF SIA support: $SIA_MSG"
	echo " KerberosV support: $KRB5_MSG"
	echo " SELinux support: $SELINUX_MSG"
	+echo " TCP Wrappers support: $TCPW_MSG"
	echo " MD5 password support: $MD5_MSG"
	echo " libedit support: $LIBEDIT_MSG"
	echo " libldns support: $LDNS_MSG"
	Index: sshd.8
	===================================================================
	--- sshd.8
	+++ sshd.8
	@@ -900,6 +900,12 @@
	This file should be writable only by the user, and need not be
	readable by anyone else.
	.Pp
	+.It Pa /etc/hosts.allow
	+.It Pa /etc/hosts.deny
	+Access controls that should be enforced by tcp-wrappers are defined here.
	+Further details are described in
	+.Xr hosts_access 5 .
	+.Pp
	.It Pa /etc/hosts.equiv
	This file is for host-based authentication (see
	.Xr ssh 1 ) .
	@@ -1002,6 +1008,7 @@
	.Xr ssh-keygen 1 ,
	.Xr ssh-keyscan 1 ,
	.Xr chroot 2 ,
	+.Xr hosts_access 5 ,
	.Xr login.conf 5 ,
	.Xr moduli 5 ,
	.Xr sshd_config 5 ,
	Index: sshd.c
	===================================================================
	--- sshd.c
	+++ sshd.c
	@@ -127,6 +127,13 @@
	#include "dh.h"
	#include "blacklist_client.h"

	+#ifdef LIBWRAP
	+#include <tcpd.h>
	+#include <syslog.h>
	+int allow_severity;
	+int deny_severity;
	+#endif /* LIBWRAP */
	+
	/* Re-exec fds */
	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
	@@ -2172,6 +2179,24 @@
	#ifdef SSH_AUDIT_EVENTS
	audit_connection_from(remote_ip, remote_port);
	#endif
	+#ifdef LIBWRAP
	+ allow_severity = options.log_facility\|LOG_INFO;
	+ deny_severity = options.log_facility\|LOG_WARNING;
	+ /* Check whether logins are denied from this host. */
	+ if (ssh_packet_connection_is_on_socket(ssh)) {
	+ struct request_info req;
	+
	+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
	+ fromhost(&req);
	+
	+ if (!hosts_access(&req)) {
	+ debug("Connection refused by tcp wrapper");
	+ refuse(&req);
	+ /* NOTREACHED */
	+ fatal("libwrap refuse returns");
	+ }
	+ }
	+#endif /* LIBWRAP */

	rdomain = ssh_packet_rdomain_in(ssh);

File Metadata

Mime Type: text/plain
Expires: Wed, Apr 1, 4:27 AM (3 h, 55 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 30664472
Default Alt Text: D29975.id88125.diff (4 KB)

D29975.id88125.diffNo OneTemporaryActions

D29975.id88125.diffView Options

File Metadata

Event Timeline

D29975.id88125.diff
No OneTemporary
Actions

D29975.id88125.diff
View Options