Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
net-misc/openssh-7.5_p1-r1 patched for tcpwrappers support
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Cyker
Veteran
Veteran


Joined: 15 Jun 2006
Posts: 1746

PostPosted: Wed Aug 02, 2017 7:48 pm    Post subject: net-misc/openssh-7.5_p1-r1 patched for tcpwrappers support Reply with quote

Ooops, it's been a while! I actually forgot about this and only noticed it'd been updated because, after my last sync, I was getting a shed-load of brute-force probes up the ssh that should have been blocked.

This will put back tcpwrappers support so openssh will properly block hosts and so that things like fail2ban and denyhosts will function as intended.


Steps:
1) cp /usr/portage/net-misc/openssh/openssh-7.5_p1-r1.ebuild into the corresponding place in your local overlay

2) Copy everything from /usr/portage/net-misc/openssh/files/ into your overlay's corresponding openssh/files/ directory

3) Edit "openssh-7.5_p1-r1.ebuild" to put back the tcp-wrappers useflags and support
Here's a patch of what I did:
Code:

--- /usr/portage/net-misc/openssh/openssh-7.5_p1-r1.ebuild      2017-06-21 12:52:30.000000000 +0100
+++ /usr/local/portage/net-misc/openssh/openssh-7.5_p1-r10.ebuild       2017-07-29 19:08:47.524051474 +0100
@@ -27,7 +27,7 @@
 SLOT="0"
 KEYWORDS="alpha amd64 arm ~arm64 ~hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
+IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static tcpd test X X509"
 REQUIRED_USE="ldns? ( ssl )
        pie? ( !static )
        ssh1? ( ssl )
@@ -53,6 +53,7 @@
                )
                libressl? ( dev-libs/libressl:0=[static-libs(+)] )
        )
+       tcpd? ( >=sys-apps/tcp-wrappers-7.6[static-libs(+)] )
        >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
 RDEPEND="
        !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
@@ -88,12 +89,6 @@
                eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
                die "booooo"
        fi
-
-       # Make sure people who are using tcp wrappers are notified of its removal. #531156
-       if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-               ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-               ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-       fi
 }

 save_version() {
@@ -172,6 +167,8 @@
                printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
        ) > version.h

+       epatch "${FILESDIR}"/${PN}-7.5p1-libwrap.diff
+
        eautoreconf
 }

@@ -202,6 +199,7 @@
                $(use X509 || use_with sctp)
                $(use_with selinux)
                $(use_with skey)
+               $(use_with tcpd tcp-wrappers)
                $(use_with ssh1)
                $(use_with ssl openssl)
                $(use_with ssl md5-passwords)


4) Goto http://sourceforge.net/projects/mancha/files/misc/ and download "openssh-7.5p1-libwrap.diff" - Put this in your openssh overlay's files/ directory as well
(Or, if it's down/blocked/missing, cat this into <overlay>/net-misc/openssh/files):
openssh-7.5p1-libwrap.diff:

From 6dc0a5224363f8c6a09dc423b1520e7ac40a94b7 Mon Sep 17 00:00:00 2001
From: mancha <mancha1 AT zoho DOT com>
Date: Tue, 18 Jul 2017
Subject: Re-introduce TCP Wrapper support

Support for TCP Wrapper was dropped as of OpenSSH 6.7. This patch
resurrects the feature for OpenSSH 7.5p1.

Note, make sure to: autoreconf -fiv

---
 configure.ac |   58 +++++++++++++++++++++++++++++++++++++++++++++++
 sshd.8       |    7 ++++++
 sshd.c       |   25 ++++++++++++++++++++
 3 files changed, 90 insertions(+)

--- a/configure.ac
+++ b/configure.ac
@@ -1165,6 +1165,7 @@
 dnl Checks for header files.
 # Checks for libraries.
 AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
+AC_CHECK_FUNC([yp_match], , [AC_CHECK_LIB([nsl], [yp_match])])

 dnl IRIX and Solaris 2.5.1 have dirname() in libgen
 AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
@@ -1470,6 +1471,62 @@
        ]
 )

+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+       [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+       [
+               if test "x$withval" != "xno" ; then
+                       saved_LIBS="$LIBS"
+                       saved_LDFLAGS="$LDFLAGS"
+                       saved_CPPFLAGS="$CPPFLAGS"
+                       if test -n "${withval}" && \
+                           test "x${withval}" != "xyes"; then
+                               if test -d "${withval}/lib"; then
+                                       if test -n "${need_dash_r}"; then
+                                               LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                                       else
+                                               LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                                       fi
+                               else
+                                       if test -n "${need_dash_r}"; then
+                                               LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+                                       else
+                                               LDFLAGS="-L${withval} ${LDFLAGS}"
+                                       fi
+                               fi
+                               if test -d "${withval}/include"; then
+                                       CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+                               else
+                                       CPPFLAGS="-I${withval} ${CPPFLAGS}"
+                               fi
+                       fi
+                       LIBS="-lwrap $LIBS"
+                       AC_MSG_CHECKING([for libwrap])
+                       AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+                               ]], [[
+       hosts_access(0);
+                               ]])], [
+                                       AC_MSG_RESULT([yes])
+                                       AC_DEFINE([LIBWRAP], [1],
+                                               [Define if you want
+                                               TCP Wrappers support])
+                                       SSHDLIBS="$SSHDLIBS -lwrap"
+                                       TCPW_MSG="yes"
+                               ], [
+                                       AC_MSG_ERROR([*** libwrap missing])
+
+                       ])
+                       LIBS="$saved_LIBS"
+               fi
+       ]
+)
+
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -5093,6 +5150,7 @@
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "                   libldns support: $LDNS_MSG"
--- a/sshd.8
+++ b/sshd.8
@@ -825,6 +825,12 @@ the user's home directory becomes access
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -929,6 +935,7 @@ The content of this file is not sensitiv
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
--- a/sshd.c
+++ b/sshd.c
@@ -123,6 +123,13 @@
 #include "version.h"
 #include "ssherr.h"

+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
+
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD   (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD         (STDERR_FILENO + 2)
@@ -1985,6 +1992,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+       allow_severity = options.log_facility|LOG_INFO;
+       deny_severity = options.log_facility|LOG_WARNING;
+       /* Check whether logins are denied from this host. */
+       if (packet_connection_is_on_socket()) {
+               struct request_info req;
+
+               request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+               fromhost(&req);
+
+               if (!hosts_access(&req)) {
+                       debug("Connection refused by tcp wrapper");
+                       refuse(&req);
+                       /* NOTREACHED */
+                       fatal("libwrap refuse returns");
+               }
+       }
+#endif /* LIBWRAP */

        /* Log the connection. */
        laddr = get_local_ipaddr(sock_in);



5) In the overlay directory for openssh, run:
Code:
ebuild openssh-7.5_p1-r1.ebuild digest



Hopefully you'll then be able to run emerge -av openssh and get a working ssh with tcpwrappers support; You may notice my one is r10 - That is to make sure it supersedes the -r1 one; If it was -r2 I'd make mine -r20 etc.



Kudos to mancha for keeping up these patches and keeping things like fail2ban and denyhosts alive on newer opensshs!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum