* [PATCH] openssh: Restore TCP wrappers support
@ 2015-10-23 7:34 wenzong.fan
2015-10-23 8:49 ` Jussi Kukkonen
0 siblings, 1 reply; 4+ messages in thread
From: wenzong.fan @ 2015-10-23 7:34 UTC (permalink / raw)
To: openembedded-core
From: Wenzong Fan <wenzong.fan@windriver.com>
The /etc/hosts.deny doesn't work for sshd without tcp-wrappers support,
apply below patch from Debian to fix it:
From 1850a2c93f3dcfa3d682eaa85d1593c01d170429 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 7 Oct 2014 13:22:41 +0100
Subject: Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
and thread:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
It is true that this reduces preauth attack surface in sshd. On the
other hand, this support seems to be quite widely used, and abruptly
dropping it (from the perspective of users who don't read
openssh-unix-dev) could easily cause more serious problems in practice.
Link to patch file:
http://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/ \
patches/restore-tcp-wrappers.patch
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
.../openssh/openssh/restore-tcp-wrappers.patch | 174 +++++++++++++++++++++
meta/recipes-connectivity/openssh/openssh_7.1p1.bb | 4 +
2 files changed, 178 insertions(+)
create mode 100644 meta/recipes-connectivity/openssh/openssh/restore-tcp-wrappers.patch
diff --git a/meta/recipes-connectivity/openssh/openssh/restore-tcp-wrappers.patch b/meta/recipes-connectivity/openssh/openssh/restore-tcp-wrappers.patch
new file mode 100644
index 0000000..1d819fa
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/restore-tcp-wrappers.patch
@@ -0,0 +1,174 @@
+From 1850a2c93f3dcfa3d682eaa85d1593c01d170429 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Tue, 7 Oct 2014 13:22:41 +0100
+Subject: Restore TCP wrappers support
+
+Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
+and thread:
+
+ https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
+
+It is true that this reduces preauth attack surface in sshd. On the
+other hand, this support seems to be quite widely used, and abruptly
+dropping it (from the perspective of users who don't read
+openssh-unix-dev) could easily cause more serious problems in practice.
+
+It's not entirely clear what the right long-term answer for Debian is,
+but it at least probably doesn't involve dropping this feature shortly
+before a freeze.
+
+Forwarded: not-needed
+Last-Update: 2014-10-07
+
+Upstream-Status: Inappropriate
+
+Patch-Name: restore-tcp-wrappers.patch
+---
+ configure.ac | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ sshd.8 | 7 +++++++
+ sshd.c | 25 +++++++++++++++++++++++++
+ 3 files changed, 89 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index df21693..4d55c46 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey],
+ ]
+ )
+
++# Check whether user wants TCP wrappers support
++TCPW_MSG="no"
++AC_ARG_WITH([tcp-wrappers],
++ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
++ [
++ if test "x$withval" != "xno" ; then
++ saved_LIBS="$LIBS"
++ saved_LDFLAGS="$LDFLAGS"
++ saved_CPPFLAGS="$CPPFLAGS"
++ if test -n "${withval}" && \
++ test "x${withval}" != "xyes"; then
++ if test -d "${withval}/lib"; then
++ if test -n "${need_dash_r}"; then
++ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
++ else
++ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++ fi
++ else
++ if test -n "${need_dash_r}"; then
++ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
++ else
++ LDFLAGS="-L${withval} ${LDFLAGS}"
++ fi
++ fi
++ if test -d "${withval}/include"; then
++ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
++ else
++ CPPFLAGS="-I${withval} ${CPPFLAGS}"
++ fi
++ fi
++ LIBS="-lwrap $LIBS"
++ AC_MSG_CHECKING([for libwrap])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <tcpd.h>
++int deny_severity = 0, allow_severity = 0;
++ ]], [[
++ hosts_access(0);
++ ]])], [
++ AC_MSG_RESULT([yes])
++ AC_DEFINE([LIBWRAP], [1],
++ [Define if you want
++ TCP Wrappers support])
++ SSHDLIBS="$SSHDLIBS -lwrap"
++ TCPW_MSG="yes"
++ ], [
++ AC_MSG_ERROR([*** libwrap missing])
++
++ ])
++ LIBS="$saved_LIBS"
++ fi
++ ]
++)
++
+ # Check whether user wants to use ldns
+ LDNS_MSG="no"
+ AC_ARG_WITH(ldns,
+@@ -4928,6 +4984,7 @@ echo " KerberosV support: $KRB5_MSG"
+ echo " SELinux support: $SELINUX_MSG"
+ echo " Smartcard support: $SCARD_MSG"
+ echo " S/KEY support: $SKEY_MSG"
++echo " TCP Wrappers support: $TCPW_MSG"
+ echo " MD5 password support: $MD5_MSG"
+ echo " libedit support: $LIBEDIT_MSG"
+ echo " Solaris process contract support: $SPC_MSG"
+diff --git a/sshd.8 b/sshd.8
+index dcf20f0..5afd10f 100644
+--- a/sshd.8
++++ b/sshd.8
+@@ -853,6 +853,12 @@ the user's home directory becomes accessible.
+ This file should be writable only by the user, and need not be
+ readable by anyone else.
+ .Pp
++.It Pa /etc/hosts.allow
++.It Pa /etc/hosts.deny
++Access controls that should be enforced by tcp-wrappers are defined here.
++Further details are described in
++.Xr hosts_access 5 .
++.Pp
+ .It Pa /etc/hosts.equiv
+ This file is for host-based authentication (see
+ .Xr ssh 1 ) .
+@@ -956,6 +962,7 @@ The content of this file is not sensitive; it can be world-readable.
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
+ .Xr chroot 2 ,
++.Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+ .Xr moduli 5 ,
+ .Xr sshd_config 5 ,
+diff --git a/sshd.c b/sshd.c
+index 6b85e6c..186ad55 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -129,6 +129,13 @@
+ #include <Security/AuthSession.h>
+ #endif
+
++#ifdef LIBWRAP
++#include <tcpd.h>
++#include <syslog.h>
++int allow_severity;
++int deny_severity;
++#endif /* LIBWRAP */
++
+ #ifndef O_NOCTTY
+ #define O_NOCTTY 0
+ #endif
+@@ -2141,6 +2148,24 @@ main(int ac, char **av)
+ #ifdef SSH_AUDIT_EVENTS
+ audit_connection_from(remote_ip, remote_port);
+ #endif
++#ifdef LIBWRAP
++ allow_severity = options.log_facility|LOG_INFO;
++ deny_severity = options.log_facility|LOG_WARNING;
++ /* Check whether logins are denied from this host. */
++ if (packet_connection_is_on_socket()) {
++ struct request_info req;
++
++ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
++ fromhost(&req);
++
++ if (!hosts_access(&req)) {
++ debug("Connection refused by tcp wrapper");
++ refuse(&req);
++ /* NOTREACHED */
++ fatal("libwrap refuse returns");
++ }
++ }
++#endif /* LIBWRAP */
+
+ /* Log the connection. */
+ laddr = get_local_ipaddr(sock_in);
diff --git a/meta/recipes-connectivity/openssh/openssh_7.1p1.bb b/meta/recipes-connectivity/openssh/openssh_7.1p1.bb
index 40938cc..b621f62 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.1p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.1p1.bb
@@ -20,6 +20,7 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
file://sshdgenkeys.service \
file://volatiles.99_sshd \
file://add-test-support-for-busybox.patch \
+ file://restore-tcp-wrappers.patch \
file://run-ptest"
PAM_SRC_URI = "file://sshd"
@@ -53,6 +54,9 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
--disable-strip \
"
+PACKAGECONFIG ??= "tcp-wrappers"
+PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
+
# Since we do not depend on libbsd, we do not want configure to use it
# just because it finds libutil.h. But, specifying --disable-libutil
# causes compile errors, so...
--
1.9.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] openssh: Restore TCP wrappers support
2015-10-23 7:34 [PATCH] openssh: Restore TCP wrappers support wenzong.fan
@ 2015-10-23 8:49 ` Jussi Kukkonen
2015-10-23 10:27 ` wenzong fan
0 siblings, 1 reply; 4+ messages in thread
From: Jussi Kukkonen @ 2015-10-23 8:49 UTC (permalink / raw)
To: wenzong.fan; +Cc: Patches and discussions about the oe-core layer
[-- Attachment #1: Type: text/plain, Size: 10672 bytes --]
On 23 October 2015 at 10:34, <wenzong.fan@windriver.com> wrote:
> From: Wenzong Fan <wenzong.fan@windriver.com>
>
> The /etc/hosts.deny doesn't work for sshd without tcp-wrappers support,
> apply below patch from Debian to fix it:
>
I get that hosts.deny not doing anything after updating is a nasty surprise
(mentioning this in the release notes certainly makes sense) but ... is
bringing tcp-wrappers-support back (especially as default) the correct
solution here?
The dependencies for this feature have been described as 'poor quality
abandonware' years ago already, and there are certainly other ways to limit
access.... Is there a use case where ssh+tcpwrappers is so crucial that it
warrants going against upstream opinion on security?
- Jussi
> From 1850a2c93f3dcfa3d682eaa85d1593c01d170429 Mon Sep 17 00:00:00 2001
> From: Colin Watson <cjwatson@debian.org>
> Date: Tue, 7 Oct 2014 13:22:41 +0100
> Subject: Restore TCP wrappers support
>
> Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
> and thread:
>
>
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
>
> It is true that this reduces preauth attack surface in sshd. On the
> other hand, this support seems to be quite widely used, and abruptly
> dropping it (from the perspective of users who don't read
> openssh-unix-dev) could easily cause more serious problems in practice.
> Link to patch file:
> http://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/ \
> patches/restore-tcp-wrappers.patch
>
> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
> ---
> .../openssh/openssh/restore-tcp-wrappers.patch | 174
> +++++++++++++++++++++
> meta/recipes-connectivity/openssh/openssh_7.1p1.bb | 4 +
> 2 files changed, 178 insertions(+)
> create mode 100644
> meta/recipes-connectivity/openssh/openssh/restore-tcp-wrappers.patch
>
> diff --git
> a/meta/recipes-connectivity/openssh/openssh/restore-tcp-wrappers.patch
> b/meta/recipes-connectivity/openssh/openssh/restore-tcp-wrappers.patch
> new file mode 100644
> index 0000000..1d819fa
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/restore-tcp-wrappers.patch
> @@ -0,0 +1,174 @@
> +From 1850a2c93f3dcfa3d682eaa85d1593c01d170429 Mon Sep 17 00:00:00 2001
> +From: Colin Watson <cjwatson@debian.org>
> +Date: Tue, 7 Oct 2014 13:22:41 +0100
> +Subject: Restore TCP wrappers support
> +
> +Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
> +and thread:
> +
> +
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
> +
> +It is true that this reduces preauth attack surface in sshd. On the
> +other hand, this support seems to be quite widely used, and abruptly
> +dropping it (from the perspective of users who don't read
> +openssh-unix-dev) could easily cause more serious problems in practice.
> +
> +It's not entirely clear what the right long-term answer for Debian is,
> +but it at least probably doesn't involve dropping this feature shortly
> +before a freeze.
> +
> +Forwarded: not-needed
> +Last-Update: 2014-10-07
> +
> +Upstream-Status: Inappropriate
> +
> +Patch-Name: restore-tcp-wrappers.patch
> +---
> + configure.ac | 57
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> + sshd.8 | 7 +++++++
> + sshd.c | 25 +++++++++++++++++++++++++
> + 3 files changed, 89 insertions(+)
> +
> +diff --git a/configure.ac b/configure.ac
> +index df21693..4d55c46 100644
> +--- a/configure.ac
> ++++ b/configure.ac
> +@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey],
> + ]
> + )
> +
> ++# Check whether user wants TCP wrappers support
> ++TCPW_MSG="no"
> ++AC_ARG_WITH([tcp-wrappers],
> ++ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support
> (optionally in PATH)],
> ++ [
> ++ if test "x$withval" != "xno" ; then
> ++ saved_LIBS="$LIBS"
> ++ saved_LDFLAGS="$LDFLAGS"
> ++ saved_CPPFLAGS="$CPPFLAGS"
> ++ if test -n "${withval}" && \
> ++ test "x${withval}" != "xyes"; then
> ++ if test -d "${withval}/lib"; then
> ++ if test -n "${need_dash_r}"; then
> ++ LDFLAGS="-L${withval}/lib
> -R${withval}/lib ${LDFLAGS}"
> ++ else
> ++ LDFLAGS="-L${withval}/lib
> ${LDFLAGS}"
> ++ fi
> ++ else
> ++ if test -n "${need_dash_r}"; then
> ++ LDFLAGS="-L${withval}
> -R${withval} ${LDFLAGS}"
> ++ else
> ++ LDFLAGS="-L${withval}
> ${LDFLAGS}"
> ++ fi
> ++ fi
> ++ if test -d "${withval}/include"; then
> ++ CPPFLAGS="-I${withval}/include
> ${CPPFLAGS}"
> ++ else
> ++ CPPFLAGS="-I${withval} ${CPPFLAGS}"
> ++ fi
> ++ fi
> ++ LIBS="-lwrap $LIBS"
> ++ AC_MSG_CHECKING([for libwrap])
> ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
> ++#include <sys/types.h>
> ++#include <sys/socket.h>
> ++#include <netinet/in.h>
> ++#include <tcpd.h>
> ++int deny_severity = 0, allow_severity = 0;
> ++ ]], [[
> ++ hosts_access(0);
> ++ ]])], [
> ++ AC_MSG_RESULT([yes])
> ++ AC_DEFINE([LIBWRAP], [1],
> ++ [Define if you want
> ++ TCP Wrappers support])
> ++ SSHDLIBS="$SSHDLIBS -lwrap"
> ++ TCPW_MSG="yes"
> ++ ], [
> ++ AC_MSG_ERROR([*** libwrap missing])
> ++
> ++ ])
> ++ LIBS="$saved_LIBS"
> ++ fi
> ++ ]
> ++)
> ++
> + # Check whether user wants to use ldns
> + LDNS_MSG="no"
> + AC_ARG_WITH(ldns,
> +@@ -4928,6 +4984,7 @@ echo " KerberosV support: $KRB5_MSG"
> + echo " SELinux support: $SELINUX_MSG"
> + echo " Smartcard support: $SCARD_MSG"
> + echo " S/KEY support: $SKEY_MSG"
> ++echo " TCP Wrappers support: $TCPW_MSG"
> + echo " MD5 password support: $MD5_MSG"
> + echo " libedit support: $LIBEDIT_MSG"
> + echo " Solaris process contract support: $SPC_MSG"
> +diff --git a/sshd.8 b/sshd.8
> +index dcf20f0..5afd10f 100644
> +--- a/sshd.8
> ++++ b/sshd.8
> +@@ -853,6 +853,12 @@ the user's home directory becomes accessible.
> + This file should be writable only by the user, and need not be
> + readable by anyone else.
> + .Pp
> ++.It Pa /etc/hosts.allow
> ++.It Pa /etc/hosts.deny
> ++Access controls that should be enforced by tcp-wrappers are defined here.
> ++Further details are described in
> ++.Xr hosts_access 5 .
> ++.Pp
> + .It Pa /etc/hosts.equiv
> + This file is for host-based authentication (see
> + .Xr ssh 1 ) .
> +@@ -956,6 +962,7 @@ The content of this file is not sensitive; it can be
> world-readable.
> + .Xr ssh-keygen 1 ,
> + .Xr ssh-keyscan 1 ,
> + .Xr chroot 2 ,
> ++.Xr hosts_access 5 ,
> + .Xr login.conf 5 ,
> + .Xr moduli 5 ,
> + .Xr sshd_config 5 ,
> +diff --git a/sshd.c b/sshd.c
> +index 6b85e6c..186ad55 100644
> +--- a/sshd.c
> ++++ b/sshd.c
> +@@ -129,6 +129,13 @@
> + #include <Security/AuthSession.h>
> + #endif
> +
> ++#ifdef LIBWRAP
> ++#include <tcpd.h>
> ++#include <syslog.h>
> ++int allow_severity;
> ++int deny_severity;
> ++#endif /* LIBWRAP */
> ++
> + #ifndef O_NOCTTY
> + #define O_NOCTTY 0
> + #endif
> +@@ -2141,6 +2148,24 @@ main(int ac, char **av)
> + #ifdef SSH_AUDIT_EVENTS
> + audit_connection_from(remote_ip, remote_port);
> + #endif
> ++#ifdef LIBWRAP
> ++ allow_severity = options.log_facility|LOG_INFO;
> ++ deny_severity = options.log_facility|LOG_WARNING;
> ++ /* Check whether logins are denied from this host. */
> ++ if (packet_connection_is_on_socket()) {
> ++ struct request_info req;
> ++
> ++ request_init(&req, RQ_DAEMON, __progname, RQ_FILE,
> sock_in, 0);
> ++ fromhost(&req);
> ++
> ++ if (!hosts_access(&req)) {
> ++ debug("Connection refused by tcp wrapper");
> ++ refuse(&req);
> ++ /* NOTREACHED */
> ++ fatal("libwrap refuse returns");
> ++ }
> ++ }
> ++#endif /* LIBWRAP */
> +
> + /* Log the connection. */
> + laddr = get_local_ipaddr(sock_in);
> diff --git a/meta/recipes-connectivity/openssh/openssh_7.1p1.bb
> b/meta/recipes-connectivity/openssh/openssh_7.1p1.bb
> index 40938cc..b621f62 100644
> --- a/meta/recipes-connectivity/openssh/openssh_7.1p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_7.1p1.bb
> @@ -20,6 +20,7 @@ SRC_URI = "
> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
> file://sshdgenkeys.service \
> file://volatiles.99_sshd \
> file://add-test-support-for-busybox.patch \
> + file://restore-tcp-wrappers.patch \
> file://run-ptest"
>
> PAM_SRC_URI = "file://sshd"
> @@ -53,6 +54,9 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
> --disable-strip \
> "
>
> +PACKAGECONFIG ??= "tcp-wrappers"
> +PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
> +
> # Since we do not depend on libbsd, we do not want configure to use it
> # just because it finds libutil.h. But, specifying --disable-libutil
> # causes compile errors, so...
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
[-- Attachment #2: Type: text/html, Size: 14745 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] openssh: Restore TCP wrappers support
2015-10-23 8:49 ` Jussi Kukkonen
@ 2015-10-23 10:27 ` wenzong fan
0 siblings, 0 replies; 4+ messages in thread
From: wenzong fan @ 2015-10-23 10:27 UTC (permalink / raw)
To: Jussi Kukkonen; +Cc: Patches and discussions about the oe-core layer
On 10/23/2015 04:49 PM, Jussi Kukkonen wrote:
> On 23 October 2015 at 10:34, <wenzong.fan@windriver.com
> <mailto:wenzong.fan@windriver.com>> wrote:
>
> From: Wenzong Fan <wenzong.fan@windriver.com
> <mailto:wenzong.fan@windriver.com>>
>
> The /etc/hosts.deny doesn't work for sshd without tcp-wrappers support,
> apply below patch from Debian to fix it:
>
>
> I get that hosts.deny not doing anything after updating is a nasty
> surprise (mentioning this in the release notes certainly makes sense)
> but ... is bringing tcp-wrappers-support back (especially as default)
> the correct solution here?
Would it be acceptable that bringing tcp-wrappers-support back but
disable by default?
>
> The dependencies for this feature have been described as 'poor quality
> abandonware' years ago already, and there are certainly other ways to
> limit access.... Is there a use case where ssh+tcpwrappers is so crucial
> that it warrants going against upstream opinion on security?
From users' view, it most like a change to distribution, I think this
why Debian & Fedora get it back again.
I got below comments from Debian's contributor:
https://lwn.net/Articles/615305/
Looks it's an acceptable risk. Of course, I don't object the solution of
update release notes.
Thanks
Wenzong
>
> - Jussi
>
> From 1850a2c93f3dcfa3d682eaa85d1593c01d170429 Mon Sep 17 00:00:00
> 2001
> From: Colin Watson <cjwatson@debian.org <mailto:cjwatson@debian.org>>
> Date: Tue, 7 Oct 2014 13:22:41 +0100
> Subject: Restore TCP wrappers support
>
> Support for TCP wrappers was dropped in OpenSSH 6.7. See this
> message
> and thread:
>
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
>
> It is true that this reduces preauth attack surface in sshd. On the
> other hand, this support seems to be quite widely used, and abruptly
> dropping it (from the perspective of users who don't read
> openssh-unix-dev) could easily cause more serious problems in
> practice.
> Link to patch file:
> http://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/ \
> patches/restore-tcp-wrappers.patch
>
> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com
> <mailto:wenzong.fan@windriver.com>>
> ---
> .../openssh/openssh/restore-tcp-wrappers.patch | 174
> +++++++++++++++++++++
> meta/recipes-connectivity/openssh/openssh_7.1p1.bb
> <http://openssh_7.1p1.bb> | 4 +
> 2 files changed, 178 insertions(+)
> create mode 100644
> meta/recipes-connectivity/openssh/openssh/restore-tcp-wrappers.patch
>
> diff --git
> a/meta/recipes-connectivity/openssh/openssh/restore-tcp-wrappers.patch
> b/meta/recipes-connectivity/openssh/openssh/restore-tcp-wrappers.patch
> new file mode 100644
> index 0000000..1d819fa
> --- /dev/null
> +++
> b/meta/recipes-connectivity/openssh/openssh/restore-tcp-wrappers.patch
> @@ -0,0 +1,174 @@
> +From 1850a2c93f3dcfa3d682eaa85d1593c01d170429 Mon Sep 17 00:00:00 2001
> +From: Colin Watson <cjwatson@debian.org <mailto:cjwatson@debian.org>>
> +Date: Tue, 7 Oct 2014 13:22:41 +0100
> +Subject: Restore TCP wrappers support
> +
> +Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
> +and thread:
> +
> +
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
> +
> +It is true that this reduces preauth attack surface in sshd. On the
> +other hand, this support seems to be quite widely used, and abruptly
> +dropping it (from the perspective of users who don't read
> +openssh-unix-dev) could easily cause more serious problems in practice.
> +
> +It's not entirely clear what the right long-term answer for Debian is,
> +but it at least probably doesn't involve dropping this feature shortly
> +before a freeze.
> +
> +Forwarded: not-needed
> +Last-Update: 2014-10-07
> +
> +Upstream-Status: Inappropriate
> +
> +Patch-Name: restore-tcp-wrappers.patch
> +---
> + configure.ac <http://configure.ac> | 57
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> + sshd.8 | 7 +++++++
> + sshd.c | 25 +++++++++++++++++++++++++
> + 3 files changed, 89 insertions(+)
> +
> +diff --git a/configure.ac <http://configure.ac> b/configure.ac
> <http://configure.ac>
> +index df21693..4d55c46 100644
> +--- a/configure.ac <http://configure.ac>
> ++++ b/configure.ac <http://configure.ac>
> +@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey],
> + ]
> + )
> +
> ++# Check whether user wants TCP wrappers support
> ++TCPW_MSG="no"
> ++AC_ARG_WITH([tcp-wrappers],
> ++ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support
> (optionally in PATH)],
> ++ [
> ++ if test "x$withval" != "xno" ; then
> ++ saved_LIBS="$LIBS"
> ++ saved_LDFLAGS="$LDFLAGS"
> ++ saved_CPPFLAGS="$CPPFLAGS"
> ++ if test -n "${withval}" && \
> ++ test "x${withval}" != "xyes"; then
> ++ if test -d "${withval}/lib"; then
> ++ if test -n "${need_dash_r}";
> then
> ++
> LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
> ++ else
> ++
> LDFLAGS="-L${withval}/lib ${LDFLAGS}"
> ++ fi
> ++ else
> ++ if test -n "${need_dash_r}";
> then
> ++
> LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
> ++ else
> ++
> LDFLAGS="-L${withval} ${LDFLAGS}"
> ++ fi
> ++ fi
> ++ if test -d "${withval}/include"; then
> ++
> CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
> ++ else
> ++ CPPFLAGS="-I${withval}
> ${CPPFLAGS}"
> ++ fi
> ++ fi
> ++ LIBS="-lwrap $LIBS"
> ++ AC_MSG_CHECKING([for libwrap])
> ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
> ++#include <sys/types.h>
> ++#include <sys/socket.h>
> ++#include <netinet/in.h>
> ++#include <tcpd.h>
> ++int deny_severity = 0, allow_severity = 0;
> ++ ]], [[
> ++ hosts_access(0);
> ++ ]])], [
> ++ AC_MSG_RESULT([yes])
> ++ AC_DEFINE([LIBWRAP], [1],
> ++ [Define if you want
> ++ TCP Wrappers support])
> ++ SSHDLIBS="$SSHDLIBS -lwrap"
> ++ TCPW_MSG="yes"
> ++ ], [
> ++ AC_MSG_ERROR([*** libwrap
> missing])
> ++
> ++ ])
> ++ LIBS="$saved_LIBS"
> ++ fi
> ++ ]
> ++)
> ++
> + # Check whether user wants to use ldns
> + LDNS_MSG="no"
> + AC_ARG_WITH(ldns,
> +@@ -4928,6 +4984,7 @@ echo " KerberosV support:
> $KRB5_MSG"
> + echo " SELinux support: $SELINUX_MSG"
> + echo " Smartcard support: $SCARD_MSG"
> + echo " S/KEY support: $SKEY_MSG"
> ++echo " TCP Wrappers support: $TCPW_MSG"
> + echo " MD5 password support: $MD5_MSG"
> + echo " libedit support: $LIBEDIT_MSG"
> + echo " Solaris process contract support: $SPC_MSG"
> +diff --git a/sshd.8 b/sshd.8
> +index dcf20f0..5afd10f 100644
> +--- a/sshd.8
> ++++ b/sshd.8
> +@@ -853,6 +853,12 @@ the user's home directory becomes accessible.
> + This file should be writable only by the user, and need not be
> + readable by anyone else.
> + .Pp
> ++.It Pa /etc/hosts.allow
> ++.It Pa /etc/hosts.deny
> ++Access controls that should be enforced by tcp-wrappers are
> defined here.
> ++Further details are described in
> ++.Xr hosts_access 5 .
> ++.Pp
> + .It Pa /etc/hosts.equiv
> + This file is for host-based authentication (see
> + .Xr ssh 1 ) .
> +@@ -956,6 +962,7 @@ The content of this file is not sensitive; it
> can be world-readable.
> + .Xr ssh-keygen 1 ,
> + .Xr ssh-keyscan 1 ,
> + .Xr chroot 2 ,
> ++.Xr hosts_access 5 ,
> + .Xr login.conf 5 ,
> + .Xr moduli 5 ,
> + .Xr sshd_config 5 ,
> +diff --git a/sshd.c b/sshd.c
> +index 6b85e6c..186ad55 100644
> +--- a/sshd.c
> ++++ b/sshd.c
> +@@ -129,6 +129,13 @@
> + #include <Security/AuthSession.h>
> + #endif
> +
> ++#ifdef LIBWRAP
> ++#include <tcpd.h>
> ++#include <syslog.h>
> ++int allow_severity;
> ++int deny_severity;
> ++#endif /* LIBWRAP */
> ++
> + #ifndef O_NOCTTY
> + #define O_NOCTTY 0
> + #endif
> +@@ -2141,6 +2148,24 @@ main(int ac, char **av)
> + #ifdef SSH_AUDIT_EVENTS
> + audit_connection_from(remote_ip, remote_port);
> + #endif
> ++#ifdef LIBWRAP
> ++ allow_severity = options.log_facility|LOG_INFO;
> ++ deny_severity = options.log_facility|LOG_WARNING;
> ++ /* Check whether logins are denied from this host. */
> ++ if (packet_connection_is_on_socket()) {
> ++ struct request_info req;
> ++
> ++ request_init(&req, RQ_DAEMON, __progname, RQ_FILE,
> sock_in, 0);
> ++ fromhost(&req);
> ++
> ++ if (!hosts_access(&req)) {
> ++ debug("Connection refused by tcp wrapper");
> ++ refuse(&req);
> ++ /* NOTREACHED */
> ++ fatal("libwrap refuse returns");
> ++ }
> ++ }
> ++#endif /* LIBWRAP */
> +
> + /* Log the connection. */
> + laddr = get_local_ipaddr(sock_in);
> diff --git a/meta/recipes-connectivity/openssh/openssh_7.1p1.bb
> <http://openssh_7.1p1.bb>
> b/meta/recipes-connectivity/openssh/openssh_7.1p1.bb
> <http://openssh_7.1p1.bb>
> index 40938cc..b621f62 100644
> --- a/meta/recipes-connectivity/openssh/openssh_7.1p1.bb
> <http://openssh_7.1p1.bb>
> +++ b/meta/recipes-connectivity/openssh/openssh_7.1p1.bb
> <http://openssh_7.1p1.bb>
> @@ -20,6 +20,7 @@ SRC_URI =
> "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
> file://sshdgenkeys.service \
> file://volatiles.99_sshd \
> file://add-test-support-for-busybox.patch \
> + file://restore-tcp-wrappers.patch \
> file://run-ptest"
>
> PAM_SRC_URI = "file://sshd"
> @@ -53,6 +54,9 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
> --disable-strip \
> "
>
> +PACKAGECONFIG ??= "tcp-wrappers"
> +PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
> +
> # Since we do not depend on libbsd, we do not want configure to use it
> # just because it finds libutil.h. But, specifying --disable-libutil
> # causes compile errors, so...
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> <mailto:Openembedded-core@lists.openembedded.org>
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] openssh: Restore TCP wrappers support
@ 2018-07-13 6:03 changqing.li
0 siblings, 0 replies; 4+ messages in thread
From: changqing.li @ 2018-07-13 6:03 UTC (permalink / raw)
To: openembedded-core
From: Changqing Li <changqing.li@windriver.com>
From: Wenzong Fan <wenzong.fan@windriver.com>
The /etc/hosts.deny doesn't work for sshd without tcp-wrappers support,
apply below patch from Debian to fix it.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
.../0001-Restore-TCP-wrappers-support.patch | 171 +++++++++++++++++++++
meta/recipes-connectivity/openssh/openssh_7.7p1.bb | 4 +
2 files changed, 175 insertions(+)
create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-Restore-TCP-wrappers-support.patch
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-Restore-TCP-wrappers-support.patch b/meta/recipes-connectivity/openssh/openssh/0001-Restore-TCP-wrappers-support.patch
new file mode 100644
index 0000000..5f3efa6
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-Restore-TCP-wrappers-support.patch
@@ -0,0 +1,171 @@
+From 03cdbc92adf763f9ff5bb89f7820f9e1734f745b Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Fri, 13 Jul 2018 12:16:18 +0800
+Subject: [PATCH] Restore TCP wrappers support
+
+Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
+and thread:
+
+ https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
+
+It is true that this reduces preauth attack surface in sshd. On the
+other hand, this support seems to be quite widely used, and abruptly
+dropping it (from the perspective of users who don't read
+openssh-unix-dev) could easily cause more serious problems in practice.
+
+Upstream-Status: Inappropriate
+
+This patch was imported by wenzong firstly, the following sign is not
+the origin author, just adjust it to fit for new version of openssh.
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
+---
+ configure.ac | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ sshd.8 | 7 +++++++
+ sshd.c | 26 ++++++++++++++++++++++++++
+ 3 files changed, 89 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 663062b..a2accdd 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1542,6 +1542,61 @@ AC_ARG_WITH([skey],
+ ]
+ )
+
++#Check whether user wants TCP wrappers support
++TCPW_MSG="no"
++AC_ARG_WITH([tcp-wrappers],
++ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
++ [
++ if test "x$withval" != "xno" ; then
++ saved_LIBS="$LIBS"
++ saved_LDFLAGS="$LDFLAGS"
++ saved_CPPFLAGS="$CPPFLAGS"
++ if test -n "${withval}" && \
++ test "x${withval}" != "xyes"; then
++ if test -d "${withval}/lib"; then
++ if test -n "${need_dash_r}"; then
++ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
++ else
++ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++ fi
++ else
++ if test -n "${need_dash_r}"; then
++ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
++ else
++ LDFLAGS="-L${withval} ${LDFLAGS}"
++ fi
++ fi
++ if test -d "${withval}/include"; then
++ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
++ else
++ CPPFLAGS="-I${withval} ${CPPFLAGS}"
++ fi
++ fi
++ LIBS="-lwrap $LIBS"
++ AC_MSG_CHECKING([for libwrap])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <tcpd.h>
++int deny_severity = 0, allow_severity = 0;
++ ]], [[
++ hosts_access(0);
++ ]])], [
++ AC_MSG_RESULT([yes])
++ AC_DEFINE([LIBWRAP], [1],
++ [Define if you want
++ TCP Wrappers support])
++ SSHDLIBS="$SSHDLIBS -lwrap"
++ TCPW_MSG="yes"
++ ], [
++ AC_MSG_ERROR([*** libwrap missing])
++ ])
++ LIBS="$saved_LIBS"
++ fi
++ ]
++)
++
+ # Check whether user wants to use ldns
+ LDNS_MSG="no"
+ AC_ARG_WITH(ldns,
+@@ -5216,6 +5271,7 @@ echo " OSF SIA support: $SIA_MSG"
+ echo " KerberosV support: $KRB5_MSG"
+ echo " SELinux support: $SELINUX_MSG"
+ echo " S/KEY support: $SKEY_MSG"
++echo " TCP Wrappers support: $TCPW_MSG"
+ echo " MD5 password support: $MD5_MSG"
+ echo " libedit support: $LIBEDIT_MSG"
+ echo " libldns support: $LDNS_MSG"
+diff --git a/sshd.8 b/sshd.8
+index 968ba66..c8299d5 100644
+--- a/sshd.8
++++ b/sshd.8
+@@ -845,6 +845,12 @@ the user's home directory becomes accessible.
+ This file should be writable only by the user, and need not be
+ readable by anyone else.
+ .Pp
++.It Pa /etc/hosts.allow
++.It Pa /etc/hosts.deny
++Access controls that should be enforced by tcp-wrappers are defined here.
++Further details are described in
++.Xr hosts_access 5 .
++.Pp
+ .It Pa /etc/hosts.equiv
+ This file is for host-based authentication (see
+ .Xr ssh 1 ) .
+@@ -947,6 +953,7 @@ The content of this file is not sensitive; it can be world-readable.
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
+ .Xr chroot 2 ,
++.Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+ .Xr moduli 5 ,
+ .Xr sshd_config 5 ,
+diff --git a/sshd.c b/sshd.c
+index fd95b68..82607d8 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -123,6 +123,13 @@
+ #include "version.h"
+ #include "ssherr.h"
+
++#ifdef LIBWRAP
++#include <tcpd.h>
++#include <syslog.h>
++int allow_severity;
++int deny_severity;
++#endif /* LIBWRAP */
++
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
+@@ -2036,6 +2043,25 @@ main(int ac, char **av)
+ audit_connection_from(remote_ip, remote_port);
+ #endif
+
++#ifdef LIBWRAP
++ allow_severity = options.log_facility|LOG_INFO;
++ deny_severity = options.log_facility|LOG_WARNING;
++ /* Check whether logins are denied from this host. */
++ if (packet_connection_is_on_socket()) {
++ struct request_info req;
++
++ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
++ fromhost(&req);
++
++ if (!hosts_access(&req)) {
++ debug("Connection refused by tcp wrapper");
++ refuse(&req);
++ /* NOTREACHED */
++ fatal("libwrap refuse returns");
++ }
++ }
++#endif /* LIBWRAP */
++
+ rdomain = ssh_packet_rdomain_in(ssh);
+
+ /* Log the connection. */
diff --git a/meta/recipes-connectivity/openssh/openssh_7.7p1.bb b/meta/recipes-connectivity/openssh/openssh_7.7p1.bb
index b3da5f6..0696587 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.7p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.7p1.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://sshd_check_keys \
file://add-test-support-for-busybox.patch \
file://disable-ciphers-not-supported-by-OpenSSL-DES.patch \
+ file://0001-Restore-TCP-wrappers-support.patch \
"
PAM_SRC_URI = "file://sshd"
@@ -61,6 +62,9 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
# musl doesn't implement wtmp/utmp
EXTRA_OECONF_append_libc-musl = " --disable-wtmp"
+PACKAGECONFIG ??= "tcp-wrappers"
+PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
+
# Since we do not depend on libbsd, we do not want configure to use it
# just because it finds libutil.h. But, specifying --disable-libutil
# causes compile errors, so...
--
2.7.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-07-13 6:03 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-23 7:34 [PATCH] openssh: Restore TCP wrappers support wenzong.fan
2015-10-23 8:49 ` Jussi Kukkonen
2015-10-23 10:27 ` wenzong fan
-- strict thread matches above, loose matches on Subject: below --
2018-07-13 6:03 changqing.li
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox