Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
net-misc/openssh-6.9_p1-r2 and tcpwrappers [PATCHED!]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Cyker
Veteran
Veteran


Joined: 15 Jun 2006
Posts: 1746

PostPosted: Tue Jul 21, 2015 8:21 pm    Post subject: net-misc/openssh-6.9_p1-r2 and tcpwrappers [PATCHED!] Reply with quote

Summary:
1) Will openssh-6.7 continue to be supported for a long time?
2) Else, what is the recommended alternative to hosts.{allow,deny} and SEC blacklisting?


Verbose:
Another emerge --sync, another problem...! (lol)

It seems as of v6.9, openssh no longer supports tcpwrappers. (Eek!)

As tcpwrappers is the primary guardian for my ssh'ing, this is obviously quite a big problem. (Erk)

As I see it I have two options:
1) Mask >net-misc/openssh-6.9
2) Roll an alternative to tcpwrappers + SEC

1) is an easy default, but I am concerned it will stop being supported in the near future.

2) will, I suspect, require considerably more zots to execute; If this future-proofs it, I don't mind, but I will require suggestions and help.

I currently have some known systems whitelisted with hosts.deny, and am using SEC to scan for sshd breach attempts and add them to hosts.deny.
The setup has been tweaked a lot over time, and works pretty well with some extra rules to defeat sneakiness, which is why I'm reluctant to throw it all away.

What are your thoughts for options and implementation for option 2?


Last edited by Cyker on Wed Jul 22, 2015 8:57 pm; edited 1 time in total
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Tue Jul 21, 2015 8:36 pm    Post subject: Reply with quote

Interesting:
Changelog of openssh 6.7 wrote:
20140612 - (dtucker) [configure.ac] Remove tcpwrappers support, support has already
been removed from sshd.c.

I wonder how long it's been gone, I think 6.7 didn't have support, either.

I haven't noticed, always thought that new hosts keep hitting my machine despite using tcpwrappers. I just ignored them and hope hostkey/password is sufficient to not let them in, despite the distributed and dictionary attacks...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Cyker
Veteran
Veteran


Joined: 15 Jun 2006
Posts: 1746

PostPosted: Tue Jul 21, 2015 10:04 pm    Post subject: Reply with quote

8O

Oh shi-<CARRIER LOST>
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Tue Jul 21, 2015 11:36 pm    Post subject: Reply with quote

Apparently there's other distributions that question whether people were still using tcpwrappers instead of using firewall rules, etc. But I suppose there are still people who use tcpwrappers.

Anyone else still using tcpwrappers?

Should tcpwrappers be put back in? I'd think it's slowly going away for most things as it's slow...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Cyker
Veteran
Veteran


Joined: 15 Jun 2006
Posts: 1746

PostPosted: Wed Jul 22, 2015 8:36 am    Post subject: Reply with quote

Well I would think so since it seems most early-deny monitors like fail2ban and denyhosts also use tcp-wrappers as their primary blacklisting mechanism...

I mainly use it because it's very simple to set up and has been tried and tested. Also I don't currently know of an equivalent alternative.

Still, it's kind of a dick move of the openssh guys to remove support of a fairly critical security feature without any major warning; If it wasn't for the warning in the ebuild I'd never have even known!!! 8O

From what I've seen it's not just me; A fair number of people have been caught out by this too judging by the posts begging them and/or distro maintainers to put it back in floating around.
Even our distro maintainers were caught out it seems as they didn't notice the removal in 6.7 either, and only put the warnings in in later versions (Annoyingly, after the last versions that still had it had fallen out the tree!)

Still, it doesn't look too hard to patch it back in; I have found a small patch for

6.7p1 at http://www.gossamer-threads.com/lists/openssh/dev/59543
and
6.9p1 at http://www.gossamer-threads.com/lists/openssh/dev/62743

which puts back tcp-wrappers support so I'll see how that goes...
Judging by the need for autoreconf I think some ebuild massaging will be needed...
Back to top
View user's profile Send private message
Cyker
Veteran
Veteran


Joined: 15 Jun 2006
Posts: 1746

PostPosted: Wed Jul 22, 2015 6:19 pm    Post subject: Reply with quote

Well that was a lot easier than I thought! \:D/
+1 to Portage's flexibility! :)

WOT I DID:

1) cp -r /usr/portage/net-misc/openssh into local overlay
2) Modify openssh-6.9_p1-r2.ebuild to put back the tcp-wrappers bits
(Or use this handy patch of what I did earlier!)
Code:

--- openssh-6.9_p1-r2.ebuild   2015-07-22 10:20:22.419265771 +0100
+++ openssh-6.9_p1-r20.ebuild   2015-07-22 18:19:26.733580702 +0100
@@ -30,7 +30,7 @@
 SLOT="0"
 KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ~ppc ppc64 s390 sh ~sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
 # Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static X X509"
+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static tcpd X X509"
 REQUIRED_USE="pie? ( !static )
    ssh1? ( ssl )
    static? ( !kerberos !pam )
@@ -44,7 +44,8 @@
       >=dev-libs/openssl-0.9.6d:0[bindist=]
       dev-libs/openssl[static-libs(+)]
    )
-   >=sys-libs/zlib-1.2.3[static-libs(+)]"
+   >=sys-libs/zlib-1.2.3[static-libs(+)]
+   tcpd? ( >=sys-apps/tcp-wrappers-7.6[static-libs(+)] )"
 RDEPEND="
    !static? (
       ${LIB_DEPEND//\[static-libs(+)]}
@@ -92,12 +93,12 @@
       die "booooo"
    fi
 
-   # Make sure people who are using tcp wrappers are notified of its removal. #531156
-   if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-      eerror "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-      eerror "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-      die "USE=tcpd no longer works"
-   fi
+#   # Make sure people who are using tcp wrappers are notified of its removal. #531156
+#   if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+#      eerror "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+#      eerror "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
+#      die "USE=tcpd no longer works"
+#   fi
 }
 
 save_version() {
@@ -168,6 +169,8 @@
       printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
    ) > version.h
 
+   epatch "${FILESDIR}"/${PN}-6.9p1-libwrap.diff
+
    eautoreconf
 }
 
@@ -198,6 +201,7 @@
       $(use_with sctp)
       $(use_with selinux)
       $(use_with skey)
+      $(use_with tcpd tcp-wrappers)
       $(use_with ssh1)
       # The X509 patch deletes this option entirely.
       $(use X509 || use_with ssl openssl)


3) Download the tcp-wrapper patch I posted in the previous post and put it in files/ (or cat this into <overlay>/net-misc/openssh/files)
Code:

From 6528336124b7736040e2e55fb2d1a105b9b382f3 Mon Sep 17 00:00:00 2001
From: mancha <mancha1 AT zoho DOT com>
Date: Wed, 1 Jul 2015
Subject: Re-introduce TCP Wrapper support

Support for TCP Wrapper was dropped as of OpenSSH 6.7. This patch
resurrects the feature for OpenSSH 6.9p1.

Note: autoreconf -fiv and configure with --with-tcp-wrappers

---
 configure.ac |   57 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 sshd.8       |    7 +++++++
 sshd.c       |   25 +++++++++++++++++++++++
 3 files changed, 89 insertions(+)

--- a/configure.ac
+++ b/configure.ac
@@ -1424,6 +1424,62 @@ AC_ARG_WITH([skey],
    ]
 )
 
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+   [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+   [
+      if test "x$withval" != "xno" ; then
+         saved_LIBS="$LIBS"
+         saved_LDFLAGS="$LDFLAGS"
+         saved_CPPFLAGS="$CPPFLAGS"
+         if test -n "${withval}" && \
+             test "x${withval}" != "xyes"; then
+            if test -d "${withval}/lib"; then
+               if test -n "${need_dash_r}"; then
+                  LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+               else
+                  LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+               fi
+            else
+               if test -n "${need_dash_r}"; then
+                  LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+               else
+                  LDFLAGS="-L${withval} ${LDFLAGS}"
+               fi
+            fi
+            if test -d "${withval}/include"; then
+               CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+            else
+               CPPFLAGS="-I${withval} ${CPPFLAGS}"
+            fi
+         fi
+         LIBS="-lwrap $LIBS"
+         AC_MSG_CHECKING([for libwrap])
+         AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+            ]], [[
+   hosts_access(0);
+            ]])], [
+               AC_MSG_RESULT([yes])
+               AC_DEFINE([LIBWRAP], [1],
+                  [Define if you want
+                  TCP Wrappers support])
+               SSHDLIBS="$SSHDLIBS -lwrap"
+               TCPW_MSG="yes"
+            ], [
+               AC_MSG_ERROR([*** libwrap missing])
+            
+         ])
+         LIBS="$saved_LIBS"
+      fi
+   ]
+)
+
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -4904,6 +4960,7 @@ echo "                 KerberosV support
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
--- a/sshd.8
+++ b/sshd.8
@@ -853,6 +853,12 @@ the user's home directory becomes access
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -956,6 +962,7 @@ The content of this file is not sensitiv
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
--- a/sshd.c
+++ b/sshd.c
@@ -125,6 +125,13 @@
 #include "version.h"
 #include "ssherr.h"
 
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
+
 #ifndef O_NOCTTY
 #define O_NOCTTY   0
 #endif
@@ -2134,6 +2141,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
    audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+   allow_severity = options.log_facility|LOG_INFO;
+   deny_severity = options.log_facility|LOG_WARNING;
+   /* Check whether logins are denied from this host. */
+   if (packet_connection_is_on_socket()) {
+      struct request_info req;
+
+      request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+      fromhost(&req);
+
+      if (!hosts_access(&req)) {
+         debug("Connection refused by tcp wrapper");
+         refuse(&req);
+         /* NOTREACHED */
+         fatal("libwrap refuse returns");
+      }
+   }
+#endif /* LIBWRAP */
 
    /* Log the connection. */
    laddr = get_local_ipaddr(sock_in);


4) In the overlay for openssh, run
Code:
ebuild openssh-6.9_p1-r2.ebuild digest


And you're done! Now emerge updating openssh should put back tcp-wrappers, putting back a layer of security and re-enabling things like fail2ban and denyhosts (And my SEC monitor!)


I'm still open to suggestions for alternatives, but this'll do me for now ^____^
Back to top
View user's profile Send private message
gordonp
Tux's lil' helper
Tux's lil' helper


Joined: 23 May 2005
Posts: 89

PostPosted: Mon Jul 27, 2015 5:02 pm    Post subject: Reply with quote

eccerr0r wrote:
Anyone else still using tcpwrappers?

Should tcpwrappers be put back in?



Yes... to both Qs.

I believe in defense-in-depth, and tcpd is a valuable belt in addition to suspenders.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Mon Jul 27, 2015 5:35 pm    Post subject: Reply with quote

Who volunteers to get this patch kept in Gentoo, so whenever openssl/openssh versionbumps, the patch also gets fixed? :o
If enough people still want it, might have to get openssh to re-include it.

I've pretty much migrated out of tcpwrappers for ssh, mostly because maintaining huge deny files was a PITA. Sigh...doing what the openssh guys wanted...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum