Re: sshd appears to not be consulting /etc/hosts.allow and /etc/hosts.deny for access control, is this a known issue?

["Greg A. Woods" <woods%planix.ca@localhost>]

At Mon, 6 Jan 2025 22:27:51 +0000 (UTC), RVP <rvp%SDF.ORG@localhost> wrote:
Subject: Re: sshd appears to not be consulting /etc/hosts.allow and /etc/hosts.deny for access control, is this a known issue?
>
> On Mon, 6 Jan 2025, Brian Buhrow wrote:
>
> > 	Under NetBSD-10.99.12 (sources as of November 21, 2024), sshd(8) appears not to be
> > consulting the /etc/hosts.allow and /etc/hosts.deny files when deciding whether to offer a
> > banner to incoming connections.  A check with ldd against /usr/sbin/sshd and
> > /usr/lib/libssh.so.48.0 shows that libwrap.so isn't needed by either of these files.
> > Is this an intentional change and, if it is, where can I find it documented?
> >
>
> This looks like a merge mishap. OpenSSH 9.8 split sshd into 2 processes: a
> listener and a per-session binary, and a lot of code was changed then.

Perhaps the reason LIBWRAP support was lost is that it wasn't documented
as a local change in doc/3RDPARTY.

Oddly part of the patch survived, and part was left over, but none of
the meat of the business was kept.

The patch to add it back and fix up the miss-merge should be as simple
as follows (though I have not yet compiled these changes -- my -current
builds are still stymied by MKKERBEROS=no causing public symbol
differences in libraries):

Staged changes (3)
modified   crypto/external/bsd/openssh/dist/sshd-session.c
@@ -1197,6 +1197,24 @@ main(int ac, char **av)
 	 */
 	remote_ip = ssh_remote_ipaddr(ssh);

+#ifdef LIBWRAP
+	/* Check whether logins are denied from this host. */
+	if (ssh_packet_connection_is_on_socket(ssh)) {
+		struct request_info req;
+
+		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+		fromhost(&req);
+
+		if (!hosts_access(&req)) {
+			debug("Connection refused by tcp wrapper");
+			/* n.b. hosts_access(3) has logged and notified blocklistd */
+			refuse(&req);
+			/* NOTREACHED */
+			fatal("libwrap refuse returns");
+		}
+	}
+#endif /* LIBWRAP */
+
 	rdomain = ssh_packet_rdomain_in(ssh);

 	/* Log the connection. */
modified   crypto/external/bsd/openssh/dist/sshd.c
@@ -81,13 +81,6 @@ __RCSID("$NetBSD: sshd.c,v 1.54 2024/09/24 21:32:19 christos Exp $");
 #include "addr.h"
 #include "srclimit.h"

-#ifdef LIBWRAP
-#include <tcpd.h>
-#include <syslog.h>
-int allow_severity = LOG_INFO;
-int deny_severity = LOG_WARNING;
-#endif /* LIBWRAP */
-
 #ifdef WITH_LDAP_PUBKEY
 #include "ldapauth.h"
 #endif
modified   doc/3RDPARTY
@@ -1130,6 +1130,7 @@ markus is very cooperative about it):
 - make compile with gcc-4.5; const fixes, fileno() checks, shadow fixes.
 - adjust the DEFAULT_PKCS11_WHITELIST for ssh-agent
 - blocklistd additions
+- LIBWRAP support is maintained (now in sshd-session.c)

 Package:	OpenSSL
 Version:	1.0.2o/1.1.1t/3.0.15


--
					Greg A. Woods <gwoods%acm.org@localhost>

Kelowna, BC     +1 250 762-7675           RoboHack <woods%robohack.ca@localhost>
Planix, Inc. <woods%planix.com@localhost>     Avoncote Farms <woods%avoncote.ca@localhost>

Attachment: pgpWAnpsazzUU.pgp
Description: OpenPGP Digital Signature