From: wenzong fan <wenzong.fan@windriver.com>
To: Jussi Kukkonen <jussi.kukkonen@intel.com>
Cc: Patches and discussions about the oe-core layer
<openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH] openssh: Restore TCP wrappers support
Date: Fri, 23 Oct 2015 18:27:08 +0800 [thread overview]
Message-ID: <562A0B7C.4010700@windriver.com> (raw)
In-Reply-To: <CAHiDW_HpQFMVnh5Zrty1zhjN2z8_vdKqLJLg73PNrttsWA0dUA@mail.gmail.com>
On 10/23/2015 04:49 PM, Jussi Kukkonen wrote:
> On 23 October 2015 at 10:34, <wenzong.fan@windriver.com
> <mailto:wenzong.fan@windriver.com>> wrote:
>
> From: Wenzong Fan <wenzong.fan@windriver.com
> <mailto:wenzong.fan@windriver.com>>
>
> The /etc/hosts.deny doesn't work for sshd without tcp-wrappers support,
> apply below patch from Debian to fix it:
>
>
> I get that hosts.deny not doing anything after updating is a nasty
> surprise (mentioning this in the release notes certainly makes sense)
> but ... is bringing tcp-wrappers-support back (especially as default)
> the correct solution here?
Would it be acceptable that bringing tcp-wrappers-support back but
disable by default?
>
> The dependencies for this feature have been described as 'poor quality
> abandonware' years ago already, and there are certainly other ways to
> limit access.... Is there a use case where ssh+tcpwrappers is so crucial
> that it warrants going against upstream opinion on security?
From users' view, it most like a change to distribution, I think this
why Debian & Fedora get it back again.
I got below comments from Debian's contributor:
https://lwn.net/Articles/615305/
Looks it's an acceptable risk. Of course, I don't object the solution of
update release notes.
Thanks
Wenzong
>
> - Jussi
>
> From 1850a2c93f3dcfa3d682eaa85d1593c01d170429 Mon Sep 17 00:00:00
> 2001
> From: Colin Watson <cjwatson@debian.org <mailto:cjwatson@debian.org>>
> Date: Tue, 7 Oct 2014 13:22:41 +0100
> Subject: Restore TCP wrappers support
>
> Support for TCP wrappers was dropped in OpenSSH 6.7. See this
> message
> and thread:
>
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
>
> It is true that this reduces preauth attack surface in sshd. On the
> other hand, this support seems to be quite widely used, and abruptly
> dropping it (from the perspective of users who don't read
> openssh-unix-dev) could easily cause more serious problems in
> practice.
> Link to patch file:
> http://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/ \
> patches/restore-tcp-wrappers.patch
>
> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com
> <mailto:wenzong.fan@windriver.com>>
> ---
> .../openssh/openssh/restore-tcp-wrappers.patch | 174
> +++++++++++++++++++++
> meta/recipes-connectivity/openssh/openssh_7.1p1.bb
> <http://openssh_7.1p1.bb> | 4 +
> 2 files changed, 178 insertions(+)
> create mode 100644
> meta/recipes-connectivity/openssh/openssh/restore-tcp-wrappers.patch
>
> diff --git
> a/meta/recipes-connectivity/openssh/openssh/restore-tcp-wrappers.patch
> b/meta/recipes-connectivity/openssh/openssh/restore-tcp-wrappers.patch
> new file mode 100644
> index 0000000..1d819fa
> --- /dev/null
> +++
> b/meta/recipes-connectivity/openssh/openssh/restore-tcp-wrappers.patch
> @@ -0,0 +1,174 @@
> +From 1850a2c93f3dcfa3d682eaa85d1593c01d170429 Mon Sep 17 00:00:00 2001
> +From: Colin Watson <cjwatson@debian.org <mailto:cjwatson@debian.org>>
> +Date: Tue, 7 Oct 2014 13:22:41 +0100
> +Subject: Restore TCP wrappers support
> +
> +Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
> +and thread:
> +
> +
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
> +
> +It is true that this reduces preauth attack surface in sshd. On the
> +other hand, this support seems to be quite widely used, and abruptly
> +dropping it (from the perspective of users who don't read
> +openssh-unix-dev) could easily cause more serious problems in practice.
> +
> +It's not entirely clear what the right long-term answer for Debian is,
> +but it at least probably doesn't involve dropping this feature shortly
> +before a freeze.
> +
> +Forwarded: not-needed
> +Last-Update: 2014-10-07
> +
> +Upstream-Status: Inappropriate
> +
> +Patch-Name: restore-tcp-wrappers.patch
> +---
> + configure.ac <http://configure.ac> | 57
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> + sshd.8 | 7 +++++++
> + sshd.c | 25 +++++++++++++++++++++++++
> + 3 files changed, 89 insertions(+)
> +
> +diff --git a/configure.ac <http://configure.ac> b/configure.ac
> <http://configure.ac>
> +index df21693..4d55c46 100644
> +--- a/configure.ac <http://configure.ac>
> ++++ b/configure.ac <http://configure.ac>
> +@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey],
> + ]
> + )
> +
> ++# Check whether user wants TCP wrappers support
> ++TCPW_MSG="no"
> ++AC_ARG_WITH([tcp-wrappers],
> ++ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support
> (optionally in PATH)],
> ++ [
> ++ if test "x$withval" != "xno" ; then
> ++ saved_LIBS="$LIBS"
> ++ saved_LDFLAGS="$LDFLAGS"
> ++ saved_CPPFLAGS="$CPPFLAGS"
> ++ if test -n "${withval}" && \
> ++ test "x${withval}" != "xyes"; then
> ++ if test -d "${withval}/lib"; then
> ++ if test -n "${need_dash_r}";
> then
> ++
> LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
> ++ else
> ++
> LDFLAGS="-L${withval}/lib ${LDFLAGS}"
> ++ fi
> ++ else
> ++ if test -n "${need_dash_r}";
> then
> ++
> LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
> ++ else
> ++
> LDFLAGS="-L${withval} ${LDFLAGS}"
> ++ fi
> ++ fi
> ++ if test -d "${withval}/include"; then
> ++
> CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
> ++ else
> ++ CPPFLAGS="-I${withval}
> ${CPPFLAGS}"
> ++ fi
> ++ fi
> ++ LIBS="-lwrap $LIBS"
> ++ AC_MSG_CHECKING([for libwrap])
> ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
> ++#include <sys/types.h>
> ++#include <sys/socket.h>
> ++#include <netinet/in.h>
> ++#include <tcpd.h>
> ++int deny_severity = 0, allow_severity = 0;
> ++ ]], [[
> ++ hosts_access(0);
> ++ ]])], [
> ++ AC_MSG_RESULT([yes])
> ++ AC_DEFINE([LIBWRAP], [1],
> ++ [Define if you want
> ++ TCP Wrappers support])
> ++ SSHDLIBS="$SSHDLIBS -lwrap"
> ++ TCPW_MSG="yes"
> ++ ], [
> ++ AC_MSG_ERROR([*** libwrap
> missing])
> ++
> ++ ])
> ++ LIBS="$saved_LIBS"
> ++ fi
> ++ ]
> ++)
> ++
> + # Check whether user wants to use ldns
> + LDNS_MSG="no"
> + AC_ARG_WITH(ldns,
> +@@ -4928,6 +4984,7 @@ echo " KerberosV support:
> $KRB5_MSG"
> + echo " SELinux support: $SELINUX_MSG"
> + echo " Smartcard support: $SCARD_MSG"
> + echo " S/KEY support: $SKEY_MSG"
> ++echo " TCP Wrappers support: $TCPW_MSG"
> + echo " MD5 password support: $MD5_MSG"
> + echo " libedit support: $LIBEDIT_MSG"
> + echo " Solaris process contract support: $SPC_MSG"
> +diff --git a/sshd.8 b/sshd.8
> +index dcf20f0..5afd10f 100644
> +--- a/sshd.8
> ++++ b/sshd.8
> +@@ -853,6 +853,12 @@ the user's home directory becomes accessible.
> + This file should be writable only by the user, and need not be
> + readable by anyone else.
> + .Pp
> ++.It Pa /etc/hosts.allow
> ++.It Pa /etc/hosts.deny
> ++Access controls that should be enforced by tcp-wrappers are
> defined here.
> ++Further details are described in
> ++.Xr hosts_access 5 .
> ++.Pp
> + .It Pa /etc/hosts.equiv
> + This file is for host-based authentication (see
> + .Xr ssh 1 ) .
> +@@ -956,6 +962,7 @@ The content of this file is not sensitive; it
> can be world-readable.
> + .Xr ssh-keygen 1 ,
> + .Xr ssh-keyscan 1 ,
> + .Xr chroot 2 ,
> ++.Xr hosts_access 5 ,
> + .Xr login.conf 5 ,
> + .Xr moduli 5 ,
> + .Xr sshd_config 5 ,
> +diff --git a/sshd.c b/sshd.c
> +index 6b85e6c..186ad55 100644
> +--- a/sshd.c
> ++++ b/sshd.c
> +@@ -129,6 +129,13 @@
> + #include <Security/AuthSession.h>
> + #endif
> +
> ++#ifdef LIBWRAP
> ++#include <tcpd.h>
> ++#include <syslog.h>
> ++int allow_severity;
> ++int deny_severity;
> ++#endif /* LIBWRAP */
> ++
> + #ifndef O_NOCTTY
> + #define O_NOCTTY 0
> + #endif
> +@@ -2141,6 +2148,24 @@ main(int ac, char **av)
> + #ifdef SSH_AUDIT_EVENTS
> + audit_connection_from(remote_ip, remote_port);
> + #endif
> ++#ifdef LIBWRAP
> ++ allow_severity = options.log_facility|LOG_INFO;
> ++ deny_severity = options.log_facility|LOG_WARNING;
> ++ /* Check whether logins are denied from this host. */
> ++ if (packet_connection_is_on_socket()) {
> ++ struct request_info req;
> ++
> ++ request_init(&req, RQ_DAEMON, __progname, RQ_FILE,
> sock_in, 0);
> ++ fromhost(&req);
> ++
> ++ if (!hosts_access(&req)) {
> ++ debug("Connection refused by tcp wrapper");
> ++ refuse(&req);
> ++ /* NOTREACHED */
> ++ fatal("libwrap refuse returns");
> ++ }
> ++ }
> ++#endif /* LIBWRAP */
> +
> + /* Log the connection. */
> + laddr = get_local_ipaddr(sock_in);
> diff --git a/meta/recipes-connectivity/openssh/openssh_7.1p1.bb
> <http://openssh_7.1p1.bb>
> b/meta/recipes-connectivity/openssh/openssh_7.1p1.bb
> <http://openssh_7.1p1.bb>
> index 40938cc..b621f62 100644
> --- a/meta/recipes-connectivity/openssh/openssh_7.1p1.bb
> <http://openssh_7.1p1.bb>
> +++ b/meta/recipes-connectivity/openssh/openssh_7.1p1.bb
> <http://openssh_7.1p1.bb>
> @@ -20,6 +20,7 @@ SRC_URI =
> "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
> file://sshdgenkeys.service \
> file://volatiles.99_sshd \
> file://add-test-support-for-busybox.patch \
> + file://restore-tcp-wrappers.patch \
> file://run-ptest"
>
> PAM_SRC_URI = "file://sshd"
> @@ -53,6 +54,9 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
> --disable-strip \
> "
>
> +PACKAGECONFIG ??= "tcp-wrappers"
> +PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
> +
> # Since we do not depend on libbsd, we do not want configure to use it
> # just because it finds libutil.h. But, specifying --disable-libutil
> # causes compile errors, so...
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> <mailto:Openembedded-core@lists.openembedded.org>
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
>
next prev parent reply other threads:[~2015-10-23 10:27 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-23 7:34 [PATCH] openssh: Restore TCP wrappers support wenzong.fan
2015-10-23 8:49 ` Jussi Kukkonen
2015-10-23 10:27 ` wenzong fan [this message]
-- strict thread matches above, loose matches on Subject: below --
2018-07-13 6:03 changqing.li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=562A0B7C.4010700@windriver.com \
--to=wenzong.fan@windriver.com \
--cc=jussi.kukkonen@intel.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.