Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
net-misc/openssh-7.3_p1-r6 and tcpwrappers [PATCHED!]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Cyker
Veteran
Veteran


Joined: 15 Jun 2006
Posts: 1746

PostPosted: Sat Oct 08, 2016 10:26 pm    Post subject: net-misc/openssh-7.3_p1-r6 and tcpwrappers [PATCHED!] Reply with quote

Yikes, bit more of a hassle this time as there are a lot of extra patches!

Mainly the same as before, just remember to copy all the patches in files/ over!

Steps:
1) cp /usr/portage/net-misc/openssh/openssh-7.3_p1-r6.ebuild into your local overlay
(If you don't have one, you may need to cp -r the whole /usr/portage/net-misc/openssh/ directory into your overlay to get all the other patches in files/ too)
1a) Also copy /usr/portage/net-misc/openssh/files/openssh-7.3* into your overlay's files/ directory!

2) Modify "openssh-7.3_p1-r6.ebuild" to put back the tcp-wrappers bits
(Or use this handy patch of what I did earlier!):
openssh-7.3_p1-r6.ebuild:

--- openssh-7.3_p1-r6.ebuild   2016-10-08 22:50:40.518287358 +0100
+++ openssh-7.3_p1-r10.ebuild   2016-10-08 22:56:08.473368265 +0100
@@ -33,7 +33,7 @@
 SLOT="0"
 KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static tcpd test X X509"
 REQUIRED_USE="ldns? ( ssl )
    pie? ( !static )
    ssh1? ( ssl )
@@ -58,6 +58,7 @@
       )
       libressl? ( dev-libs/libressl[static-libs(+)] )
    )
+   tcpd? ( >=sys-apps/tcp-wrappers-7.6[static-libs(+)] )
    >=sys-libs/zlib-1.2.3[static-libs(+)]"
 RDEPEND="
    !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
@@ -94,11 +95,11 @@
       die "booooo"
    fi
 
-   # Make sure people who are using tcp wrappers are notified of its removal. #531156
-   if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-      ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-      ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-   fi
 }
 
 save_version() {
@@ -186,6 +187,8 @@
       printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
    ) > version.h
 
+   epatch "${FILESDIR}"/${PN}-7.3p1-libwrap.diff
+
    eautoreconf
 }
 
@@ -215,6 +218,7 @@
       $(use_with sctp)
       $(use_with selinux)
       $(use_with skey)
+      $(use_with tcpd tcp-wrappers)
       $(use_with ssh1)
       $(use_with ssl openssl)
       $(use_with ssl md5-passwords)



3) Goto http://sourceforge.net/projects/mancha/files/misc/ and download "openssh-7.3p1-libwrap.diff" - Put this in your openssh overlay's files/ directory
(Or, if it's down/blocked/missing, cat this into <overlay>/net-misc/openssh/files):
openssh-7.3p1-libwrap.diff:

From d27f95ec0c88f491564813a2872e6335edbb4c05 Mon Sep 17 00:00:00 2001
From: mancha <mancha1 AT zoho DOT com>
Date: Tue, 9 Aug 2016
Subject: Re-introduce TCP Wrapper support

Support for TCP Wrapper was dropped as of OpenSSH 6.7. This patch
resurrects the feature for OpenSSH 7.3p1.

Note, make sure to: autoreconf -fiv

---
 configure.ac |   58 +++++++++++++++++++++++++++++++++++++++++++++++
 sshd.8       |    7 ++++++
 sshd.c       |   25 ++++++++++++++++++++
 3 files changed, 90 insertions(+)


--- a/configure.ac
+++ b/configure.ac
@@ -1181,6 +1181,7 @@
 dnl Checks for header files.
 # Checks for libraries.
 AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
+AC_CHECK_FUNC([yp_match], , [AC_CHECK_LIB([nsl], [yp_match])])
 
 dnl IRIX and Solaris 2.5.1 have dirname() in libgen
 AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
@@ -1486,6 +1487,62 @@
    ]
 )
 
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+   [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+   [
+      if test "x$withval" != "xno" ; then
+         saved_LIBS="$LIBS"
+         saved_LDFLAGS="$LDFLAGS"
+         saved_CPPFLAGS="$CPPFLAGS"
+         if test -n "${withval}" && \
+             test "x${withval}" != "xyes"; then
+            if test -d "${withval}/lib"; then
+               if test -n "${need_dash_r}"; then
+                  LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+               else
+                  LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+               fi
+            else
+               if test -n "${need_dash_r}"; then
+                  LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+               else
+                  LDFLAGS="-L${withval} ${LDFLAGS}"
+               fi
+            fi
+            if test -d "${withval}/include"; then
+               CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+            else
+               CPPFLAGS="-I${withval} ${CPPFLAGS}"
+            fi
+         fi
+         LIBS="-lwrap $LIBS"
+         AC_MSG_CHECKING([for libwrap])
+         AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+            ]], [[
+   hosts_access(0);
+            ]])], [
+               AC_MSG_RESULT([yes])
+               AC_DEFINE([LIBWRAP], [1],
+                  [Define if you want
+                  TCP Wrappers support])
+               SSHDLIBS="$SSHDLIBS -lwrap"
+               TCPW_MSG="yes"
+            ], [
+               AC_MSG_ERROR([*** libwrap missing])
+            
+         ])
+         LIBS="$saved_LIBS"
+      fi
+   ]
+)
+
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -5035,6 +5092,7 @@
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
--- a/sshd.8
+++ b/sshd.8
@@ -880,6 +880,12 @@ the user's home directory becomes access
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -986,6 +992,7 @@ The content of this file is not sensitiv
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
--- a/sshd.c
+++ b/sshd.c
@@ -125,6 +125,13 @@
 #include "version.h"
 #include "ssherr.h"
 
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
+
 #ifndef O_NOCTTY
 #define O_NOCTTY   0
 #endif
@@ -2200,6 +2207,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
    audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+   allow_severity = options.log_facility|LOG_INFO;
+   deny_severity = options.log_facility|LOG_WARNING;
+   /* Check whether logins are denied from this host. */
+   if (packet_connection_is_on_socket()) {
+      struct request_info req;
+
+      request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+      fromhost(&req);
+
+      if (!hosts_access(&req)) {
+         debug("Connection refused by tcp wrapper");
+         refuse(&req);
+         /* NOTREACHED */
+         fatal("libwrap refuse returns");
+      }
+   }
+#endif /* LIBWRAP */
 
    /* Log the connection. */
    laddr = get_local_ipaddr(sock_in);



4) In the overlay for openssh, run:
Code:
ebuild openssh-7.3_p1-r6.ebuild digest



Hopefully you'll then be able to run emerge -av openssh and get a working ssh with tcpwrappers support!


Once again, props to mancha for creating the patches so that I don't have to! ;D
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum