[OE-core] [PATCH] openssh: Restore TCP wrappers support --> remove tcp-wrappers in next release?
Randy MacLeod
randy.macleod at windriver.com
Fri Jul 20 19:59:46 UTC 2018
On 07/13/2018 02:03 AM, changqing.li at windriver.com wrote:
> From: Changqing Li <changqing.li at windriver.com>
>
> From: Wenzong Fan <wenzong.fan at windriver.com>
>
> The /etc/hosts.deny doesn't work for sshd without tcp-wrappers support,
> apply below patch from Debian to fix it.
>
> Signed-off-by: Changqing Li <changqing.li at windriver.com>
> ---
> .../0001-Restore-TCP-wrappers-support.patch | 171 +++++++++++++++++++++
> meta/recipes-connectivity/openssh/openssh_7.7p1.bb | 4 +
> 2 files changed, 175 insertions(+)
> create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-Restore-TCP-wrappers-support.patch
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/0001-Restore-TCP-wrappers-support.patch b/meta/recipes-connectivity/openssh/openssh/0001-Restore-TCP-wrappers-support.patch
> new file mode 100644
> index 0000000..5f3efa6
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/0001-Restore-TCP-wrappers-support.patch
> @@ -0,0 +1,171 @@
> +From 03cdbc92adf763f9ff5bb89f7820f9e1734f745b Mon Sep 17 00:00:00 2001
> +From: Changqing Li <changqing.li at windriver.com>
> +Date: Fri, 13 Jul 2018 12:16:18 +0800
> +Subject: [PATCH] Restore TCP wrappers support
> +
> +Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
> +and thread:
> +
> + https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
> +
> +It is true that this reduces preauth attack surface in sshd. On the
> +other hand, this support seems to be quite widely used, and abruptly
> +dropping it (from the perspective of users who don't read
> +openssh-unix-dev) could easily cause more serious problems in practice.
> +
> +Upstream-Status: Inappropriate
> +
> +This patch was imported by wenzong firstly, the following sign is not
> +the origin author, just adjust it to fit for new version of openssh.
I suppose we can do this for one more release but
we shouldn't carry tcp-wrappers support [1] forever without
considering alternatives.
FYI,
Fedora has started a process to deprecate tcp-wrappers:
https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers
The first step is to require that individual services use the
tcp-wrapper tcpd monitor. There is (of course!) a systemd solution:
Add simple eBPF-based per-unit IP access lists and accounting
https://github.com/systemd/systemd/pull/6764
That went into v235, in October 2017.
I'm not sure what plans Debian or other distros have.
Buildroot doesn't seem to support tcp-wrappers at all.
If there are no objections to removing tcp-wrappers from oe-core
in 2.7/2.8, I will open a YP Bugzilla enhancement next week.
../Randy
[1] There are a number of packages that optionally depend
on tcp-wrappers:
oe-core:
$ rgrep -il "PACKAGECONFIG\[tcp-wrappers\]" *
meta/recipes-connectivity/nfs-utils/nfs-utils_2.3.1.bb
meta/recipes-connectivity/socat/socat_1.7.3.2.bb
meta/recipes-extended/quota/quota_4.04.bb
meta/recipes-extended/xinetd/xinetd_2.3.15.bb
meta/recipes-extended/rpcbind/rpcbind_0.2.4.bb
meta-oe:
$ rgrep -il "PACKAGECONFIG\[tcp-wrappers\]" *
meta-networking/recipes-daemons/atftp/atftp_git.bb
meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb
> +
> +Signed-off-by: Changqing Li <changqing.li at windriver.com>
> +
> +---
> + configure.ac | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> + sshd.8 | 7 +++++++
> + sshd.c | 26 ++++++++++++++++++++++++++
> + 3 files changed, 89 insertions(+)
> +
> +diff --git a/configure.ac b/configure.ac
> +index 663062b..a2accdd 100644
> +--- a/configure.ac
> ++++ b/configure.ac
> +@@ -1542,6 +1542,61 @@ AC_ARG_WITH([skey],
> + ]
> + )
> +
> ++#Check whether user wants TCP wrappers support
> ++TCPW_MSG="no"
> ++AC_ARG_WITH([tcp-wrappers],
> ++ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
> ++ [
> ++ if test "x$withval" != "xno" ; then
> ++ saved_LIBS="$LIBS"
> ++ saved_LDFLAGS="$LDFLAGS"
> ++ saved_CPPFLAGS="$CPPFLAGS"
> ++ if test -n "${withval}" && \
> ++ test "x${withval}" != "xyes"; then
> ++ if test -d "${withval}/lib"; then
> ++ if test -n "${need_dash_r}"; then
> ++ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
> ++ else
> ++ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
> ++ fi
> ++ else
> ++ if test -n "${need_dash_r}"; then
> ++ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
> ++ else
> ++ LDFLAGS="-L${withval} ${LDFLAGS}"
> ++ fi
> ++ fi
> ++ if test -d "${withval}/include"; then
> ++ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
> ++ else
> ++ CPPFLAGS="-I${withval} ${CPPFLAGS}"
> ++ fi
> ++ fi
> ++ LIBS="-lwrap $LIBS"
> ++ AC_MSG_CHECKING([for libwrap])
> ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
> ++#include <sys/types.h>
> ++#include <sys/socket.h>
> ++#include <netinet/in.h>
> ++#include <tcpd.h>
> ++int deny_severity = 0, allow_severity = 0;
> ++ ]], [[
> ++ hosts_access(0);
> ++ ]])], [
> ++ AC_MSG_RESULT([yes])
> ++ AC_DEFINE([LIBWRAP], [1],
> ++ [Define if you want
> ++ TCP Wrappers support])
> ++ SSHDLIBS="$SSHDLIBS -lwrap"
> ++ TCPW_MSG="yes"
> ++ ], [
> ++ AC_MSG_ERROR([*** libwrap missing])
> ++ ])
> ++ LIBS="$saved_LIBS"
> ++ fi
> ++ ]
> ++)
> ++
> + # Check whether user wants to use ldns
> + LDNS_MSG="no"
> + AC_ARG_WITH(ldns,
> +@@ -5216,6 +5271,7 @@ echo " OSF SIA support: $SIA_MSG"
> + echo " KerberosV support: $KRB5_MSG"
> + echo " SELinux support: $SELINUX_MSG"
> + echo " S/KEY support: $SKEY_MSG"
> ++echo " TCP Wrappers support: $TCPW_MSG"
> + echo " MD5 password support: $MD5_MSG"
> + echo " libedit support: $LIBEDIT_MSG"
> + echo " libldns support: $LDNS_MSG"
> +diff --git a/sshd.8 b/sshd.8
> +index 968ba66..c8299d5 100644
> +--- a/sshd.8
> ++++ b/sshd.8
> +@@ -845,6 +845,12 @@ the user's home directory becomes accessible.
> + This file should be writable only by the user, and need not be
> + readable by anyone else.
> + .Pp
> ++.It Pa /etc/hosts.allow
> ++.It Pa /etc/hosts.deny
> ++Access controls that should be enforced by tcp-wrappers are defined here.
> ++Further details are described in
> ++.Xr hosts_access 5 .
> ++.Pp
> + .It Pa /etc/hosts.equiv
> + This file is for host-based authentication (see
> + .Xr ssh 1 ) .
> +@@ -947,6 +953,7 @@ The content of this file is not sensitive; it can be world-readable.
> + .Xr ssh-keygen 1 ,
> + .Xr ssh-keyscan 1 ,
> + .Xr chroot 2 ,
> ++.Xr hosts_access 5 ,
> + .Xr login.conf 5 ,
> + .Xr moduli 5 ,
> + .Xr sshd_config 5 ,
> +diff --git a/sshd.c b/sshd.c
> +index fd95b68..82607d8 100644
> +--- a/sshd.c
> ++++ b/sshd.c
> +@@ -123,6 +123,13 @@
> + #include "version.h"
> + #include "ssherr.h"
> +
> ++#ifdef LIBWRAP
> ++#include <tcpd.h>
> ++#include <syslog.h>
> ++int allow_severity;
> ++int deny_severity;
> ++#endif /* LIBWRAP */
> ++
> + /* Re-exec fds */
> + #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
> + #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
> +@@ -2036,6 +2043,25 @@ main(int ac, char **av)
> + audit_connection_from(remote_ip, remote_port);
> + #endif
> +
> ++#ifdef LIBWRAP
> ++ allow_severity = options.log_facility|LOG_INFO;
> ++ deny_severity = options.log_facility|LOG_WARNING;
> ++ /* Check whether logins are denied from this host. */
> ++ if (packet_connection_is_on_socket()) {
> ++ struct request_info req;
> ++
> ++ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
> ++ fromhost(&req);
> ++
> ++ if (!hosts_access(&req)) {
> ++ debug("Connection refused by tcp wrapper");
> ++ refuse(&req);
> ++ /* NOTREACHED */
> ++ fatal("libwrap refuse returns");
> ++ }
> ++ }
> ++#endif /* LIBWRAP */
> ++
> + rdomain = ssh_packet_rdomain_in(ssh);
> +
> + /* Log the connection. */
> diff --git a/meta/recipes-connectivity/openssh/openssh_7.7p1.bb b/meta/recipes-connectivity/openssh/openssh_7.7p1.bb
> index b3da5f6..0696587 100644
> --- a/meta/recipes-connectivity/openssh/openssh_7.7p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_7.7p1.bb
> @@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
> file://sshd_check_keys \
> file://add-test-support-for-busybox.patch \
> file://disable-ciphers-not-supported-by-OpenSSL-DES.patch \
> + file://0001-Restore-TCP-wrappers-support.patch \
> "
>
> PAM_SRC_URI = "file://sshd"
> @@ -61,6 +62,9 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
> # musl doesn't implement wtmp/utmp
> EXTRA_OECONF_append_libc-musl = " --disable-wtmp"
>
> +PACKAGECONFIG ??= "tcp-wrappers"
> +PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
> +
> # Since we do not depend on libbsd, we do not want configure to use it
> # just because it finds libutil.h. But, specifying --disable-libutil
> # causes compile errors, so...
>
--
# Randy MacLeod
# Wind River Linux
More information about the Openembedded-core
mailing list