components/network/hpn-ssh/patches/0031-Restore-tcpwrappers-libwrap-support.patch

   1 --- hpn-ssh-hpn-18.4.2/configure.ac.orig
   2 +++ hpn-ssh-hpn-18.4.2/configure.ac
   3 @@ -1664,6 +1664,62 @@
   4         AC_MSG_RESULT([no])
   5  fi
   6
   7 +# Check whether user wants TCP wrappers support
   8 +TCPW_MSG="no"
   9 +AC_ARG_WITH([tcp-wrappers],
  10 +       [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
  11 +       [
  12 +               if test "x$withval" != "xno" ; then
  13 +                       saved_LIBS="$LIBS"
  14 +                       saved_LDFLAGS="$LDFLAGS"
  15 +                       saved_CPPFLAGS="$CPPFLAGS"
  16 +                       if test -n "${withval}" && \
  17 +                           test "x${withval}" != "xyes"; then
  18 +                               if test -d "${withval}/lib"; then
  19 +                                       if test -n "${need_dash_r}"; then
  20 +                                               LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
  21 +                                       else
  22 +                                               LDFLAGS="-L${withval}/lib ${LDFLAGS}"
  23 +                                       fi
  24 +                               else
  25 +                                       if test -n "${need_dash_r}"; then
  26 +                                               LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
  27 +                                       else
  28 +                                               LDFLAGS="-L${withval} ${LDFLAGS}"
  29 +                                       fi
  30 +                               fi
  31 +                               if test -d "${withval}/include"; then
  32 +                                       CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
  33 +                               else
  34 +                                       CPPFLAGS="-I${withval} ${CPPFLAGS}"
  35 +                               fi
  36 +                       fi
  37 +                       LIBS="-lwrap $LIBS"
  38 +                       AC_MSG_CHECKING([for libwrap])
  39 +                       AC_LINK_IFELSE([AC_LANG_PROGRAM([[
  40 +#include <sys/types.h>
  41 +#include <sys/socket.h>
  42 +#include <netinet/in.h>
  43 +#include <tcpd.h>
  44 +int deny_severity = 0, allow_severity = 0;
  45 +                               ]], [[
  46 +       hosts_access(0);
  47 +                               ]])], [
  48 +                                       AC_MSG_RESULT([yes])
  49 +                                       AC_DEFINE([LIBWRAP], [1],
  50 +                                               [Define if you want
  51 +                                               TCP Wrappers support])
  52 +                                       SSHDLIBS="$SSHDLIBS -lwrap"
  53 +                                       TCPW_MSG="yes"
  54 +                               ], [
  55 +                                       AC_MSG_ERROR([*** libwrap missing])
  56 +
  57 +                       ])
  58 +                       LIBS="$saved_LIBS"
  59 +               fi
  60 +       ]
  61 +)
  62 +
  63  # Check whether user wants to use ldns
  64  LDNS_MSG="no"
  65  AC_ARG_WITH(ldns,
  66 @@ -5721,6 +5777,7 @@
  67  echo "                   OSF SIA support: $SIA_MSG"
  68  echo "                 KerberosV support: $KRB5_MSG"
  69  echo "                   SELinux support: $SELINUX_MSG"
  70 +echo "              TCP Wrappers support: $TCPW_MSG"
  71  echo "                   libedit support: $LIBEDIT_MSG"
  72  echo "                   libldns support: $LDNS_MSG"
  73  echo "  Solaris process contract support: $SPC_MSG"
  74 --- hpn-ssh-hpn-18.4.2/hpnsshd.8.orig
  75 +++ hpn-ssh-hpn-18.4.2/hpnsshd.8
  76 @@ -924,6 +924,12 @@
  77  This file should be writable only by the user, and need not be
  78  readable by anyone else.
  79  .Pp
  80 +.It Pa /etc/hosts.allow
  81 +.It Pa /etc/hosts.deny
  82 +Access controls that should be enforced by tcp-wrappers are defined here.
  83 +Further details are described in
  84 +.Xr hosts_access 5 .
  85 +.Pp
  86  .It Pa /etc/hosts.equiv
  87  This file is for host-based authentication (see
  88  .Xr hpnssh 1 ) .
  89 @@ -1053,6 +1059,7 @@
  90  .Xr hpnssh-keygen 1 ,
  91  .Xr hpnssh-keyscan 1 ,
  92  .Xr chroot 2 ,
  93 +.Xr hosts_access 5 ,
  94  .Xr login.conf 5 ,
  95  .Xr moduli 5 ,
  96  .Xr hpnsshd_config 5 ,
  97 --- hpn-ssh-hpn-18.4.2/sshd.c.orig
  98 +++ hpn-ssh-hpn-18.4.2/sshd.c
  99 @@ -128,6 +128,17 @@
 100  #include "srclimit.h"
 101  #include "dh.h"
 102
 103 +#ifdef LIBWRAP
 104 +#include <tcpd.h>
 105 +#include <syslog.h>
 106 +int allow_severity;
 107 +int deny_severity;
 108 +#endif /* LIBWRAP */
 109 +
 110 +#ifndef O_NOCTTY
 111 +#define O_NOCTTY       0
 112 +#endif
 113 +
 114  /* Re-exec fds */
 115  #define REEXEC_DEVCRYPTO_RESERVED_FD   (STDERR_FILENO + 1)
 116  #define REEXEC_STARTUP_PIPE_FD         (STDERR_FILENO + 2)
 117 @@ -2218,6 +2229,24 @@
 118  #ifdef SSH_AUDIT_EVENTS
 119         audit_connection_from(ssh, remote_ip, remote_port);
 120  #endif
 121 +#ifdef LIBWRAP
 122 +       allow_severity = options.log_facility|LOG_INFO;
 123 +       deny_severity = options.log_facility|LOG_WARNING;
 124 +       /* Check whether logins are denied from this host. */
 125 +       if (ssh_packet_connection_is_on_socket(ssh)) {
 126 +               struct request_info req;
 127 +
 128 +               request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
 129 +               fromhost(&req);
 130 +
 131 +               if (!hosts_access(&req)) {
 132 +                       debug("Connection refused by tcp wrapper");
 133 +                       refuse(&req);
 134 +                       /* NOTREACHED */
 135 +                       fatal("libwrap refuse returns");
 136 +               }
 137 +       }
 138 +#endif /* LIBWRAP */
 139
 140         rdomain = ssh_packet_rdomain_in(ssh);
 141