View previous topic :: View next topic |
Author |
Message |
Cyker Veteran
Joined: 15 Jun 2006 Posts: 1746
|
Posted: Tue Jul 21, 2015 8:21 pm Post subject: net-misc/openssh-6.9_p1-r2 and tcpwrappers [PATCHED!] |
|
|
Summary:
1) Will openssh-6.7 continue to be supported for a long time?
2) Else, what is the recommended alternative to hosts.{allow,deny} and SEC blacklisting?
Verbose:
Another emerge --sync, another problem...! (lol)
It seems as of v6.9, openssh no longer supports tcpwrappers. (Eek!)
As tcpwrappers is the primary guardian for my ssh'ing, this is obviously quite a big problem. (Erk)
As I see it I have two options:
1) Mask >net-misc/openssh-6.9
2) Roll an alternative to tcpwrappers + SEC
1) is an easy default, but I am concerned it will stop being supported in the near future.
2) will, I suspect, require considerably more zots to execute; If this future-proofs it, I don't mind, but I will require suggestions and help.
I currently have some known systems whitelisted with hosts.deny, and am using SEC to scan for sshd breach attempts and add them to hosts.deny.
The setup has been tweaked a lot over time, and works pretty well with some extra rules to defeat sneakiness, which is why I'm reluctant to throw it all away.
What are your thoughts for options and implementation for option 2?
Last edited by Cyker on Wed Jul 22, 2015 8:57 pm; edited 1 time in total |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Tue Jul 21, 2015 8:36 pm Post subject: |
|
|
Interesting:
Changelog of openssh 6.7 wrote: | 20140612 - (dtucker) [configure.ac] Remove tcpwrappers support, support has already
been removed from sshd.c. |
I wonder how long it's been gone, I think 6.7 didn't have support, either.
I haven't noticed, always thought that new hosts keep hitting my machine despite using tcpwrappers. I just ignored them and hope hostkey/password is sufficient to not let them in, despite the distributed and dictionary attacks... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Cyker Veteran
Joined: 15 Jun 2006 Posts: 1746
|
Posted: Tue Jul 21, 2015 10:04 pm Post subject: |
|
|
Oh shi-<CARRIER LOST> |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Tue Jul 21, 2015 11:36 pm Post subject: |
|
|
Apparently there's other distributions that question whether people were still using tcpwrappers instead of using firewall rules, etc. But I suppose there are still people who use tcpwrappers.
Anyone else still using tcpwrappers?
Should tcpwrappers be put back in? I'd think it's slowly going away for most things as it's slow... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Cyker Veteran
Joined: 15 Jun 2006 Posts: 1746
|
Posted: Wed Jul 22, 2015 8:36 am Post subject: |
|
|
Well I would think so since it seems most early-deny monitors like fail2ban and denyhosts also use tcp-wrappers as their primary blacklisting mechanism...
I mainly use it because it's very simple to set up and has been tried and tested. Also I don't currently know of an equivalent alternative.
Still, it's kind of a dick move of the openssh guys to remove support of a fairly critical security feature without any major warning; If it wasn't for the warning in the ebuild I'd never have even known!!!
From what I've seen it's not just me; A fair number of people have been caught out by this too judging by the posts begging them and/or distro maintainers to put it back in floating around.
Even our distro maintainers were caught out it seems as they didn't notice the removal in 6.7 either, and only put the warnings in in later versions (Annoyingly, after the last versions that still had it had fallen out the tree!)
Still, it doesn't look too hard to patch it back in; I have found a small patch for
6.7p1 at http://www.gossamer-threads.com/lists/openssh/dev/59543
and
6.9p1 at http://www.gossamer-threads.com/lists/openssh/dev/62743
which puts back tcp-wrappers support so I'll see how that goes...
Judging by the need for autoreconf I think some ebuild massaging will be needed... |
|
Back to top |
|
|
Cyker Veteran
Joined: 15 Jun 2006 Posts: 1746
|
Posted: Wed Jul 22, 2015 6:19 pm Post subject: |
|
|
Well that was a lot easier than I thought! \:D/
+1 to Portage's flexibility! :)
WOT I DID:
1) cp -r /usr/portage/net-misc/openssh into local overlay
2) Modify openssh-6.9_p1-r2.ebuild to put back the tcp-wrappers bits
(Or use this handy patch of what I did earlier!)
Code: |
--- openssh-6.9_p1-r2.ebuild 2015-07-22 10:20:22.419265771 +0100
+++ openssh-6.9_p1-r20.ebuild 2015-07-22 18:19:26.733580702 +0100
@@ -30,7 +30,7 @@
SLOT="0"
KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ~ppc ppc64 s390 sh ~sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
# Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static X X509"
+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static tcpd X X509"
REQUIRED_USE="pie? ( !static )
ssh1? ( ssl )
static? ( !kerberos !pam )
@@ -44,7 +44,8 @@
>=dev-libs/openssl-0.9.6d:0[bindist=]
dev-libs/openssl[static-libs(+)]
)
- >=sys-libs/zlib-1.2.3[static-libs(+)]"
+ >=sys-libs/zlib-1.2.3[static-libs(+)]
+ tcpd? ( >=sys-apps/tcp-wrappers-7.6[static-libs(+)] )"
RDEPEND="
!static? (
${LIB_DEPEND//\[static-libs(+)]}
@@ -92,12 +93,12 @@
die "booooo"
fi
- # Make sure people who are using tcp wrappers are notified of its removal. #531156
- if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
- eerror "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
- eerror "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
- die "USE=tcpd no longer works"
- fi
+# # Make sure people who are using tcp wrappers are notified of its removal. #531156
+# if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+# eerror "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+# eerror "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
+# die "USE=tcpd no longer works"
+# fi
}
save_version() {
@@ -168,6 +169,8 @@
printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
) > version.h
+ epatch "${FILESDIR}"/${PN}-6.9p1-libwrap.diff
+
eautoreconf
}
@@ -198,6 +201,7 @@
$(use_with sctp)
$(use_with selinux)
$(use_with skey)
+ $(use_with tcpd tcp-wrappers)
$(use_with ssh1)
# The X509 patch deletes this option entirely.
$(use X509 || use_with ssl openssl)
|
3) Download the tcp-wrapper patch I posted in the previous post and put it in files/ (or cat this into <overlay>/net-misc/openssh/files)
Code: |
From 6528336124b7736040e2e55fb2d1a105b9b382f3 Mon Sep 17 00:00:00 2001
From: mancha <mancha1 AT zoho DOT com>
Date: Wed, 1 Jul 2015
Subject: Re-introduce TCP Wrapper support
Support for TCP Wrapper was dropped as of OpenSSH 6.7. This patch
resurrects the feature for OpenSSH 6.9p1.
Note: autoreconf -fiv and configure with --with-tcp-wrappers
---
configure.ac | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++
sshd.8 | 7 +++++++
sshd.c | 25 +++++++++++++++++++++++
3 files changed, 89 insertions(+)
--- a/configure.ac
+++ b/configure.ac
@@ -1424,6 +1424,62 @@ AC_ARG_WITH([skey],
]
)
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+ [
+ if test "x$withval" != "xno" ; then
+ saved_LIBS="$LIBS"
+ saved_LDFLAGS="$LDFLAGS"
+ saved_CPPFLAGS="$CPPFLAGS"
+ if test -n "${withval}" && \
+ test "x${withval}" != "xyes"; then
+ if test -d "${withval}/lib"; then
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ else
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval} ${LDFLAGS}"
+ fi
+ fi
+ if test -d "${withval}/include"; then
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+ else
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
+ fi
+ fi
+ LIBS="-lwrap $LIBS"
+ AC_MSG_CHECKING([for libwrap])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+ ]], [[
+ hosts_access(0);
+ ]])], [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([LIBWRAP], [1],
+ [Define if you want
+ TCP Wrappers support])
+ SSHDLIBS="$SSHDLIBS -lwrap"
+ TCPW_MSG="yes"
+ ], [
+ AC_MSG_ERROR([*** libwrap missing])
+
+ ])
+ LIBS="$saved_LIBS"
+ fi
+ ]
+)
+
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
@@ -4904,6 +4960,7 @@ echo " KerberosV support
echo " SELinux support: $SELINUX_MSG"
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
+echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
--- a/sshd.8
+++ b/sshd.8
@@ -853,6 +853,12 @@ the user's home directory becomes access
This file should be writable only by the user, and need not be
readable by anyone else.
.Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details described in
+.Xr hosts_access 5 .
+.Pp
.It Pa /etc/hosts.equiv
This file is for host-based authentication (see
.Xr ssh 1 ) .
@@ -956,6 +962,7 @@ The content of this file is not sensitiv
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
+.Xr hosts_access 5 ,
.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,
--- a/sshd.c
+++ b/sshd.c
@@ -125,6 +125,13 @@
#include "version.h"
#include "ssherr.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
+
#ifndef O_NOCTTY
#define O_NOCTTY 0
#endif
@@ -2134,6 +2141,24 @@ main(int ac, char **av)
#ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port);
#endif
+#ifdef LIBWRAP
+ allow_severity = options.log_facility|LOG_INFO;
+ deny_severity = options.log_facility|LOG_WARNING;
+ /* Check whether logins are denied from this host. */
+ if (packet_connection_is_on_socket()) {
+ struct request_info req;
+
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+ fromhost(&req);
+
+ if (!hosts_access(&req)) {
+ debug("Connection refused by tcp wrapper");
+ refuse(&req);
+ /* NOTREACHED */
+ fatal("libwrap refuse returns");
+ }
+ }
+#endif /* LIBWRAP */
/* Log the connection. */
laddr = get_local_ipaddr(sock_in);
|
4) In the overlay for openssh, run
Code: | ebuild openssh-6.9_p1-r2.ebuild digest |
And you're done! Now emerge updating openssh should put back tcp-wrappers, putting back a layer of security and re-enabling things like fail2ban and denyhosts (And my SEC monitor!)
I'm still open to suggestions for alternatives, but this'll do me for now ^____^ |
|
Back to top |
|
|
gordonp Tux's lil' helper
Joined: 23 May 2005 Posts: 102
|
Posted: Mon Jul 27, 2015 5:02 pm Post subject: |
|
|
eccerr0r wrote: | Anyone else still using tcpwrappers?
Should tcpwrappers be put back in? |
Yes... to both Qs.
I believe in defense-in-depth, and tcpd is a valuable belt in addition to suspenders. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Mon Jul 27, 2015 5:35 pm Post subject: |
|
|
Who volunteers to get this patch kept in Gentoo, so whenever openssl/openssh versionbumps, the patch also gets fixed? :o
If enough people still want it, might have to get openssh to re-include it.
I've pretty much migrated out of tcpwrappers for ssh, mostly because maintaining huge deny files was a PITA. Sigh...doing what the openssh guys wanted... |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|