dist

Brian Buhrow Wed, 08 Jan 2025 05:44:51 -0800

Module Name:    src
Committed By:   buhrow
Date:           Wed Jan  8 13:37:04 UTC 2025


Modified Files:
        src/crypto/external/bsd/openssh/dist: sshd-session.c

Log Message:
Applied patches based on suggestions from Greg Woods in current-users
to address the problem that when sshd-session was merged into the NetBSD tree, 
not all the code
to support libwrap made it into the new binary.
These patches check hosts.allow and hosts.deny for both sshd-session, the 
program name of the
binary in /usr/libexec, and sshd, the traditional name of the program, 
/usr/sbin/sshd, which
calls sshd-session.  This is in an effort to retain operational compatibility 
with older
/etc/hosts.* files which people expect to continue working across OS updates.

Discussed on current-users at:

http://mail-index.NetBSD.org/current-users/2025/01/06/msg045945.html

Tested with build release and installed on multiple systems under amd64.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/external/bsd/openssh/dist/sshd-session.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/external/bsd/openssh/dist/sshd-session.c
diff -u src/crypto/external/bsd/openssh/dist/sshd-session.c:1.4 src/crypto/external/bsd/openssh/dist/sshd-session.c:1.5
--- src/crypto/external/bsd/openssh/dist/sshd-session.c:1.4	Tue Sep 24 21:32:19 2024
+++ src/crypto/external/bsd/openssh/dist/sshd-session.c	Wed Jan  8 13:37:04 2025
@@ -1,4 +1,4 @@
-/*	$NetBSD: sshd-session.c,v 1.4 2024/09/24 21:32:19 christos Exp $	*/
+/*	$NetBSD: sshd-session.c,v 1.5 2025/01/08 13:37:04 buhrow Exp $	*/
 /* $OpenBSD: sshd-session.c,v 1.9 2024/09/09 02:39:57 djm Exp $ */
 
 /*
@@ -30,7 +30,7 @@
  */
 
 #include "includes.h"
-__RCSID("$NetBSD: sshd-session.c,v 1.4 2024/09/24 21:32:19 christos Exp $");
+__RCSID("$NetBSD: sshd-session.c,v 1.5 2025/01/08 13:37:04 buhrow Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -1197,6 +1197,40 @@ main(int ac, char **av)
 	 */
 	remote_ip = ssh_remote_ipaddr(ssh);
 
+#ifdef LIBWRAP
+	/* Check whether logins are denied from this host. */
+	if (ssh_packet_connection_is_on_socket(ssh)) {
+		struct request_info req;
+
+		/* First, try with the value stored in __progname */
+		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+		fromhost(&req);
+
+		if (!hosts_access(&req)) {
+			debug("Connection refused by tcp wrapper");
+			/* n.b. hosts_access(3) has logged and notified blocklistd */
+			refuse(&req);
+			/* NOTREACHED */
+			fatal("libwrap refuse returns");
+		}
+
+		/*
+		 * Test with "sshd" as well, since that is what most people
+		 * will have in their hosts.allow and hosts.deny files.
+		 */
+		request_set(&req, RQ_DAEMON, "sshd", RQ_FILE, sock_in, 0);
+		fromhost(&req);
+
+		if (!hosts_access(&req)) {
+			debug("Connection refused by tcp wrapper");
+			/* n.b. hosts_access(3) has logged and notified blocklistd */
+			refuse(&req);
+			/* NOTREACHED */
+			fatal("libwrap refuse returns");
+		}
+	}
+#endif /* LIBWRAP */
+
 	rdomain = ssh_packet_rdomain_in(ssh);
 
 	/* Log the connection. */

CVS commit: src/crypto/external/bsd/openssh/dist

Reply via email to