File openssh-7.2p2-tcpwrappers.patch of Package openssh.29886

From 734365c2441255fb409cc2542262de39dda68e17 Mon Sep 17 00:00:00 2001
From: Old openssh patches <pcerny@suse.com>
Date: Wed, 26 Oct 2022 09:59:03 +0200
Subject: [PATCH] openssh-7.2p2-tcpwrappers

# HG changeset patch
# Parent  327e611bd491d65826fb6de435250c037ed7e307
Forward port TCP wrappers support (libwrap) from OpenSSH 6.6p1. Make it
run-time switchable through the new UseTCPWrappers option for sshd.
---
 configure.ac  | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++
 servconf.c    | 11 ++++++++++
 servconf.h    |  1 +
 sshd.8        |  7 +++++++
 sshd.c        | 28 +++++++++++++++++++++++++
 sshd_config   |  1 +
 sshd_config.0 | 11 ++++++++++
 sshd_config.5 | 16 +++++++++++++++
 8 files changed, 132 insertions(+)

diff --git a/configure.ac b/configure.ac
index 2c79bae6..c0d5c820 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1506,6 +1506,62 @@ AC_ARG_WITH([skey],
 	]
 )
 
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+	[
+		if test "x$withval" != "xno" ; then
+			saved_LIBS="$LIBS"
+			saved_LDFLAGS="$LDFLAGS"
+			saved_CPPFLAGS="$CPPFLAGS"
+			if test -n "${withval}" && \
+			    test "x${withval}" != "xyes"; then
+				if test -d "${withval}/lib"; then
+					if test -n "${need_dash_r}"; then
+						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+					else
+						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+					fi
+				else
+					if test -n "${need_dash_r}"; then
+						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+					else
+						LDFLAGS="-L${withval} ${LDFLAGS}"
+					fi
+				fi
+				if test -d "${withval}/include"; then
+					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+				else
+					CPPFLAGS="-I${withval} ${CPPFLAGS}"
+				fi
+			fi
+			LIBS="-lwrap $LIBS"
+			AC_MSG_CHECKING([for libwrap])
+			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+				]], [[
+	hosts_access(0);
+				]])], [
+					AC_MSG_RESULT([yes])
+					AC_DEFINE([LIBWRAP], [1],
+						[Define if you want
+						TCP Wrappers support])
+					SSHDLIBS="$SSHDLIBS -lwrap"
+					TCPW_MSG="yes"
+				], [
+					AC_MSG_ERROR([*** libwrap missing])
+				
+			])
+			LIBS="$saved_LIBS"
+		fi
+	]
+)
+
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -5164,6 +5220,7 @@ echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
diff --git a/servconf.c b/servconf.c
index 8fe7a10d..e70ba44a 100644
--- a/servconf.c
+++ b/servconf.c
@@ -178,6 +178,7 @@ initialize_server_options(ServerOptions *options)
 	options->ip_qos_bulk = -1;
 	options->version_addendum = NULL;
 	options->fingerprint_hash = -1;
+	options->use_tcpwrappers = -1;
 }
 
 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -397,6 +398,9 @@ fill_default_server_options(ServerOptions *options)
 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
 	options->fingerprint_hash =
 		fips_correct_dgst(options->fingerprint_hash);
+	if (options->use_tcpwrappers == -1) {
+		options->use_tcpwrappers = 0;
+	}
 
 	assemble_algorithms(options);
 
@@ -476,6 +480,7 @@ typedef enum {
 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
 	sStreamLocalBindMask, sStreamLocalBindUnlink,
 	sAllowStreamLocalForwarding, sFingerprintHash,
+	sUseTCPWrappers,
 	sDeprecated, sUnsupported
 } ServerOpCodes;
 
@@ -627,6 +632,7 @@ static struct {
 	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
 	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
+	{ "usetcpwrappers", sUseTCPWrappers, SSHCFG_GLOBAL },
 	{ NULL, sBadOption, 0 }
 };
 
@@ -1250,6 +1256,10 @@ process_server_config_line(ServerOptions *options, char *line,
 		intptr = &options->hostbased_uses_name_from_packet_only;
 		goto parse_flag;
 
+	case sUseTCPWrappers:
+		intptr = &options->use_tcpwrappers;
+		goto parse_flag;
+
 	case sHostbasedAcceptedKeyTypes:
 		charptr = &options->hostbased_key_types;
  parse_keytypes:
@@ -2405,6 +2415,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
+	dump_cfg_fmtint(sUseTCPWrappers, o->use_tcpwrappers);
 
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
diff --git a/servconf.h b/servconf.h
index c19858c5..c0f5de23 100644
--- a/servconf.h
+++ b/servconf.h
@@ -201,6 +201,7 @@ typedef struct {
 	char   *auth_methods[MAX_AUTH_METHODS];
 
 	int	fingerprint_hash;
+	int	use_tcpwrappers;
 }       ServerOptions;
 
 /* Information about the incoming connection as used by Match */
diff --git a/sshd.8 b/sshd.8
index dce962e9..79af2aae 100644
--- a/sshd.8
+++ b/sshd.8
@@ -880,6 +880,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -1003,6 +1009,7 @@ be blocked until enough entropy is available.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.defs 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index cb96491a..ac2a98d3 100644
--- a/sshd.c
+++ b/sshd.c
@@ -137,6 +137,13 @@
 #include <Security/AuthSession.h>
 #endif
 
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
+
 #ifndef O_NOCTTY
 #define O_NOCTTY	0
 #endif
@@ -2303,6 +2310,27 @@ main(int ac, char **av)
 	audit_connection_from(remote_ip, remote_port);
 #endif
 
+#ifdef LIBWRAP
+	if (options.use_tcpwrappers) {
+		allow_severity = options.log_facility|LOG_INFO;
+		deny_severity = options.log_facility|LOG_WARNING;
+		/* Check whether logins are denied from this host. */
+		if (packet_connection_is_on_socket()) {
+			struct request_info req;
+
+			request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+			fromhost(&req);
+
+			if (!hosts_access(&req)) {
+				debug("Connection refused by tcp wrapper");
+				refuse(&req);
+				/* NOTREACHED */
+				fatal("libwrap refuse returns");
+			}
+		}
+	}
+#endif /* LIBWRAP */
+
 	/* Log the connection. */
 	laddr = get_local_ipaddr(sock_in);
 	verbose("Connection from %s port %d on %s port %d",
diff --git a/sshd_config b/sshd_config
index 97709a3a..6230748c 100644
--- a/sshd_config
+++ b/sshd_config
@@ -125,6 +125,7 @@ X11Forwarding yes
 #PermitTunnel no
 #ChrootDirectory none
 #VersionAddendum none
+#UseTCPWrappers yes
 
 # no default banner path
 #Banner none
diff --git a/sshd_config.0 b/sshd_config.0
index e7c97e8b..1b1c8741 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -1013,6 +1013,17 @@ DESCRIPTION
              authentication unprivileged process is subject to additional
              restrictions.  The default is M-bM-^@M-^\sandboxM-bM-^@M-^].
 
+     UseTCPWrappers
+             When set to "yes" , TCP wrappers (libwrap) are used to determine
+             whether a connection from a remote system should be allowed as
+             specified in hosts_accept(5).  The default is "yes".
+
+             Warning: This functionality has been backported for backward
+             compatibility and should be avoided, since libwrap pulls in a
+             whole load of security issues.  Moving to sshd's internal host
+             matching is highly recommended - see the Match keyword for
+             details.
+
      VersionAddendum
              Optionally specifies additional text to append to the SSH
              protocol banner sent by the server upon connection.  The default
diff --git a/sshd_config.5 b/sshd_config.5
index 5a75f55b..5d4c1339 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1662,6 +1662,22 @@ then the pre-authentication unprivileged process is subject to additional
 restrictions.
 The default is
 .Dq sandbox .
+.It Cm UseTCPWrappers
+When set to
+.Dq yes
+, TCP wrappers (libwrap) are used to determine whether a connection from a
+remote system should be allowed as specified in
+.Xr hosts_accept 5 .
+The default is
+.Dq no .
+
+.Em Warning: This functionality has been backported for backward \
+compatibility and should be avoided, since libwrap pulls in a whole load of \
+security issues.
+Moving to sshd's internal host matching is highly
+recommended - see the
+.Cm Match
+keyword for details.
 .It Cm VersionAddendum
 Optionally specifies additional text to append to the SSH protocol banner
 sent by the server upon connection.
-- 
2.38.0