D53270.diff
No OneTemporary
Actions

Size

4 KB

Referenced Files

None

Subscribers

None

D53270.diff
View Options

	Index: security/openssh-portable/files/patch-sshd.c
	===================================================================
	--- security/openssh-portable/files/patch-sshd.c
	+++ security/openssh-portable/files/patch-sshd.c
	@@ -41,28 +41,108 @@
	#include <sys/ioctl.h>
	+#include <sys/mman.h>
	#include <sys/socket.h>
	- #ifdef HAVE_SYS_STAT_H
	- # include <sys/stat.h>
	-@@ -69,6 +70,13 @@
	+ #include <sys/stat.h>
	+ #include <sys/time.h>
	+@@ -63,6 +64,15 @@
	#include <prot.h>
	#endif

	+#ifdef __FreeBSD__
	+#include <resolv.h>
	-+#ifdef GSSAPI
	-+#include "ssh-gss.h"
	++#if defined(GSSAPI) && defined(HAVE_GSSAPI_GSSAPI_H)
	++#include <gssapi/gssapi.h>
	++#elif defined(GSSAPI) && defined(HAVE_GSSAPI_H)
	++#include <gssapi.h>
	+#endif
	+#endif
	+
	#include "xmalloc.h"
	#include "ssh.h"
	#include "sshpty.h"
	-@@ -1671,7 +1679,30 @@ main(int ac, char **av)
	- for (i = 0; i < options.num_log_verbose; i++)
	- log_verbose_add(options.log_verbose[i]);
	+@@ -90,6 +100,10 @@
	+ #include "ssh-gss.h"
	+ #endif
	+ #include "monitor_wrap.h"
	++#ifdef LIBWRAP
	++#include <tcpd.h>
	++#include <syslog.h>
	++#endif /* LIBWRAP */

	-+#ifdef __FreeBSD__
	+ /* Re-exec fds */
	+ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
	+@@ -925,7 +939,12 @@ server_accept_loop(int sock_in, int sock_out, int *n
	+ socklen_t fromlen;
	+ u_char rnd[256];
	+ sigset_t nsigset, osigset;
	++#ifdef LIBWRAP
	++ struct request_info req;
	+
	++ request_init(&req, RQ_DAEMON, __progname, 0);
	++#endif
	++
	+ /* pipes connected to unauthenticated child sshd processes */
	+ child_alloc();
	+ startup_pollfd = xcalloc(options.max_startups, sizeof(int));
	+@@ -1133,6 +1152,42 @@ server_accept_loop(int sock_in, int sock_out, int *n
	+ usleep(100 * 1000);
	+ continue;
	+ }
	++#ifdef LIBWRAP
	++ /* Check whether logins are denied from this host. */
	++ request_set(&req, RQ_FILE, *newsock,
	++ RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0);
	++ sock_host(&req);
	++ if (!hosts_access(&req)) {
	++ const struct linger l = { .l_onoff = 1,
	++ .l_linger = 0 };
	++
	++ (void )setsockopt(*newsock, SOL_SOCKET,
	++ SO_LINGER, &l, sizeof(l));
	++ (void )close(*newsock);
	++ /*
	++ * Mimic message from libwrap's refuse() as
	++ * precisely as we can afford. The authentic
	++ * message prints the IP address and the
	++ * hostname it resolves to in parentheses. If
	++ * the IP address cannot be resolved to a
	++ * hostname, the IP address will be repeated
	++ * in parentheses. As name resolution in the
	++ * main server loop could stall, and logging
	++ * resolved names adds little or no value to
	++ * incident investigation, this implementation
	++ * only repeats the IP address in parentheses.
	++ * This should resemble librwap's refuse()
	++ * closely enough not to break auditing
	++ * software like sshguard or custom scripts.
	++ */
	++ syslog(LOG_WARNING,
	++ "refused connect from %s (%s)",
	++ eval_hostaddr(req.client),
	++ eval_hostaddr(req.client));
	++ debug("Connection refused by tcp wrapper");
	++ continue;
	++ }
	++#endif /* LIBWRAP */
	+ if (unset_nonblock(*newsock) == -1) {
	+ close(*newsock);
	+ continue;
	+@@ -1825,6 +1880,10 @@ main(int ac, char **av)
	+ /* Reinitialize the log (because of the fork above). */
	+ log_init(__progname, options.log_level, options.log_facility, log_stderr);
	+
	++ /* Avoid killing the process in high-pressure swapping environments. */
	++ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
	++ debug("madvise(): %.200s", strerror(errno));
	++
	/*
	+ * Chdir to the root directory so that the current disk can be
	+ * unmounted if desired.
	+@@ -1910,6 +1969,28 @@ main(int ac, char **av)
	+ execv(rexec_argv[0], rexec_argv);
	+
	+ fatal("rexec of %s failed: %s", rexec_argv[0], strerror(errno));
	++#ifdef __FreeBSD__
	++ /*
	+ * Initialize the resolver. This may not happen automatically
	+ * before privsep chroot().
	+ */
	@@ -83,19 +163,6 @@
	+ }
	+#endif
	+#endif
	-+
	-+ /*
	- * If not in debugging mode, not started from inetd and not already
	- * daemonized (eg re-exec via SIGHUP), disconnect from the controlling
	- * terminal, and fork. The original process exits.
	-@@ -1687,6 +1718,10 @@ main(int ac, char **av)
	- /* Reinitialize the log (because of the fork above). */
	- log_init(__progname, options.log_level, options.log_facility, log_stderr);
	+ }

	-+ /* Avoid killing the process in high-pressure swapping environments. */
	-+ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
	-+ debug("madvise(): %.200s", strerror(errno));
	-+
	- /*
	- * Chdir to the root directory so that the current disk can be
	- * unmounted if desired.
	+ /* server specific fatal cleanup */

File Metadata

Mime Type: text/plain
Expires: Wed, Apr 8, 5:09 PM (18 h, 38 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 31109137
Default Alt Text: D53270.diff (4 KB)

D53270.diffNo OneTemporaryActions

D53270.diffView Options

File Metadata

Event Timeline

D53270.diff
No OneTemporary
Actions

D53270.diff
View Options