openssh/openssh-6.7p1-debian-restore-tcp-wrappers.patch

diff -up openssh-6.8p1/configure.ac.tcp_wrappers openssh-6.8p1/configure.ac
--- openssh-6.8p1/configure.ac.tcp_wrappers	2015-03-18 13:05:57.365071779 +0100
+++ openssh-6.8p1/configure.ac	2015-03-18 13:05:57.408071673 +0100
@@ -1440,6 +1440,62 @@ AC_ARG_WITH([skey],
 	]
 )
 
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+	[
+		if test "x$withval" != "xno" ; then
+			saved_LIBS="$LIBS"
+			saved_LDFLAGS="$LDFLAGS"
+			saved_CPPFLAGS="$CPPFLAGS"
+			if test -n "${withval}" && \
+			    test "x${withval}" != "xyes"; then
+				if test -d "${withval}/lib"; then
+					if test -n "${need_dash_r}"; then
+						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+					else
+						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+					fi
+				else
+					if test -n "${need_dash_r}"; then
+						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+					else
+						LDFLAGS="-L${withval} ${LDFLAGS}"
+					fi
+				fi
+				if test -d "${withval}/include"; then
+					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+				else
+					CPPFLAGS="-I${withval} ${CPPFLAGS}"
+				fi
+			fi
+			LIBS="-lwrap $LIBS"
+			AC_MSG_CHECKING([for libwrap])
+			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+				]], [[
+	hosts_access(0);
+				]])], [
+					AC_MSG_RESULT([yes])
+					AC_DEFINE([LIBWRAP], [1],
+						[Define if you want
+						TCP Wrappers support])
+					SSHDLIBS="$SSHDLIBS -lwrap"
+					TCPW_MSG="yes"
+				], [
+					AC_MSG_ERROR([*** libwrap missing])
+				
+			])
+			LIBS="$saved_LIBS"
+		fi
+	]
+)
+
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -5026,6 +5082,7 @@ echo "                 KerberosV support
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
diff -up openssh-6.8p1/sshd.8.tcp_wrappers openssh-6.8p1/sshd.8
--- openssh-6.8p1/sshd.8.tcp_wrappers	2015-03-18 13:05:57.377071749 +0100
+++ openssh-6.8p1/sshd.8	2015-03-18 13:05:57.408071673 +0100
@@ -858,6 +858,12 @@ the user's home directory becomes access
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -981,6 +987,7 @@ IPv6 address can be used everywhere wher
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
diff -up openssh-6.8p1/sshd.c.tcp_wrappers openssh-6.8p1/sshd.c
--- openssh-6.8p1/sshd.c.tcp_wrappers	2015-03-18 13:05:57.402071688 +0100
+++ openssh-6.8p1/sshd.c	2015-03-18 13:06:48.199947136 +0100
@@ -125,6 +125,13 @@
 #include "version.h"
 #include "ssherr.h"
 
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
+
 #ifndef O_NOCTTY
 #define O_NOCTTY	0
 #endif
@@ -2150,6 +2157,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
 	audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+	allow_severity = options.log_facility|LOG_INFO;
+	deny_severity = options.log_facility|LOG_WARNING;
+	/* Check whether logins are denied from this host. */
+	if (packet_connection_is_on_socket()) {
+		struct request_info req;
+
+		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+		fromhost(&req);
+
+		if (!hosts_access(&req)) {
+			debug("Connection refused by tcp wrapper");
+			refuse(&req);
+			/* NOTREACHED */
+			fatal("libwrap refuse returns");
+		}
+	}
+#endif /* LIBWRAP */
 
 	/* Log the connection. */
 	verbose("Connection from %s port %d on %s port %d",
6.8p1-1 + 0.9.3-5 2015-03-20 13:56:04 +00:00			`diff -up openssh-6.8p1/configure.ac.tcp_wrappers openssh-6.8p1/configure.ac`
			`--- openssh-6.8p1/configure.ac.tcp_wrappers 2015-03-18 13:05:57.365071779 +0100`
			`+++ openssh-6.8p1/configure.ac 2015-03-18 13:05:57.408071673 +0100`
			`@@ -1440,6 +1440,62 @@ AC_ARG_WITH([skey],`
restore tcp wrappers support, based on Debian patch https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html 2015-01-20 16:06:46 +00:00			`]`
			`)`

			`+# Check whether user wants TCP wrappers support`
			`+TCPW_MSG="no"`
			`+AC_ARG_WITH([tcp-wrappers],`
			`+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],`
			`+ [`
			`+ if test "x$withval" != "xno" ; then`
			`+ saved_LIBS="$LIBS"`
			`+ saved_LDFLAGS="$LDFLAGS"`
			`+ saved_CPPFLAGS="$CPPFLAGS"`
			`+ if test -n "${withval}" && \`
			`+ test "x${withval}" != "xyes"; then`
			`+ if test -d "${withval}/lib"; then`
			`+ if test -n "${need_dash_r}"; then`
			`+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"`
			`+ else`
			`+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"`
			`+ fi`
			`+ else`
			`+ if test -n "${need_dash_r}"; then`
			`+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"`
			`+ else`
			`+ LDFLAGS="-L${withval} ${LDFLAGS}"`
			`+ fi`
			`+ fi`
			`+ if test -d "${withval}/include"; then`
			`+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"`
			`+ else`
			`+ CPPFLAGS="-I${withval} ${CPPFLAGS}"`
			`+ fi`
			`+ fi`
			`+ LIBS="-lwrap $LIBS"`
			`+ AC_MSG_CHECKING([for libwrap])`
			`+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[`
			`+#include <sys/types.h>`
			`+#include <sys/socket.h>`
			`+#include <netinet/in.h>`
			`+#include <tcpd.h>`
			`+int deny_severity = 0, allow_severity = 0;`
			`+ ]], [[`
			`+ hosts_access(0);`
			`+ ]])], [`
			`+ AC_MSG_RESULT([yes])`
			`+ AC_DEFINE([LIBWRAP], [1],`
			`+ [Define if you want`
			`+ TCP Wrappers support])`
			`+ SSHDLIBS="$SSHDLIBS -lwrap"`
			`+ TCPW_MSG="yes"`
			`+ ], [`
			`+ AC_MSG_ERROR([*** libwrap missing])`
			`+`
			`+ ])`
			`+ LIBS="$saved_LIBS"`
			`+ fi`
			`+ ]`
			`+)`
			`+`
			`# Check whether user wants to use ldns`
			`LDNS_MSG="no"`
			`AC_ARG_WITH(ldns,`
6.8p1-1 + 0.9.3-5 2015-03-20 13:56:04 +00:00			`@@ -5026,6 +5082,7 @@ echo " KerberosV support`
restore tcp wrappers support, based on Debian patch https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html 2015-01-20 16:06:46 +00:00			`echo " SELinux support: $SELINUX_MSG"`
			`echo " Smartcard support: $SCARD_MSG"`
			`echo " S/KEY support: $SKEY_MSG"`
			`+echo " TCP Wrappers support: $TCPW_MSG"`
			`echo " MD5 password support: $MD5_MSG"`
			`echo " libedit support: $LIBEDIT_MSG"`
			`echo " Solaris process contract support: $SPC_MSG"`
6.8p1-1 + 0.9.3-5 2015-03-20 13:56:04 +00:00			`diff -up openssh-6.8p1/sshd.8.tcp_wrappers openssh-6.8p1/sshd.8`
			`--- openssh-6.8p1/sshd.8.tcp_wrappers 2015-03-18 13:05:57.377071749 +0100`
			`+++ openssh-6.8p1/sshd.8 2015-03-18 13:05:57.408071673 +0100`
restore tcp wrappers support, based on Debian patch https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html 2015-01-20 16:06:46 +00:00			`@@ -858,6 +858,12 @@ the user's home directory becomes access`
			`This file should be writable only by the user, and need not be`
			`readable by anyone else.`
			`.Pp`
			`+.It Pa /etc/hosts.allow`
			`+.It Pa /etc/hosts.deny`
			`+Access controls that should be enforced by tcp-wrappers are defined here.`
			`+Further details are described in`
			`+.Xr hosts_access 5 .`
			`+.Pp`
			`.It Pa /etc/hosts.equiv`
			`This file is for host-based authentication (see`
			`.Xr ssh 1 ) .`
			`@@ -981,6 +987,7 @@ IPv6 address can be used everywhere wher`
			`.Xr ssh-keygen 1 ,`
			`.Xr ssh-keyscan 1 ,`
			`.Xr chroot 2 ,`
			`+.Xr hosts_access 5 ,`
			`.Xr login.conf 5 ,`
			`.Xr moduli 5 ,`
			`.Xr sshd_config 5 ,`
6.8p1-1 + 0.9.3-5 2015-03-20 13:56:04 +00:00			`diff -up openssh-6.8p1/sshd.c.tcp_wrappers openssh-6.8p1/sshd.c`
			`--- openssh-6.8p1/sshd.c.tcp_wrappers 2015-03-18 13:05:57.402071688 +0100`
			`+++ openssh-6.8p1/sshd.c 2015-03-18 13:06:48.199947136 +0100`
			`@@ -125,6 +125,13 @@`
restore tcp wrappers support, based on Debian patch https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html 2015-01-20 16:06:46 +00:00			`#include "version.h"`
6.8p1-1 + 0.9.3-5 2015-03-20 13:56:04 +00:00			`#include "ssherr.h"`
restore tcp wrappers support, based on Debian patch https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html 2015-01-20 16:06:46 +00:00
			`+#ifdef LIBWRAP`
			`+#include <tcpd.h>`
			`+#include <syslog.h>`
			`+int allow_severity;`
			`+int deny_severity;`
			`+#endif /* LIBWRAP */`
			`+`
			`#ifndef O_NOCTTY`
			`#define O_NOCTTY 0`
			`#endif`
6.8p1-1 + 0.9.3-5 2015-03-20 13:56:04 +00:00			`@@ -2150,6 +2157,24 @@ main(int ac, char **av)`
restore tcp wrappers support, based on Debian patch https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html 2015-01-20 16:06:46 +00:00			`#ifdef SSH_AUDIT_EVENTS`
			`audit_connection_from(remote_ip, remote_port);`
			`#endif`
			`+#ifdef LIBWRAP`
			`+ allow_severity = options.log_facility\|LOG_INFO;`
			`+ deny_severity = options.log_facility\|LOG_WARNING;`
			`+ /* Check whether logins are denied from this host. */`
			`+ if (packet_connection_is_on_socket()) {`
			`+ struct request_info req;`
			`+`
			`+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);`
			`+ fromhost(&req);`
			`+`
			`+ if (!hosts_access(&req)) {`
			`+ debug("Connection refused by tcp wrapper");`
			`+ refuse(&req);`
			`+ /* NOTREACHED */`
			`+ fatal("libwrap refuse returns");`
			`+ }`
			`+ }`
			`+#endif /* LIBWRAP */`

			`/* Log the connection. */`
			`verbose("Connection from %s port %d on %s port %d",`