# net-misc/openssh-7.1_p1-r2 and tcpwrappers [PATCHED!]

## Cyker

Another new openssh, another new patch to put back removed features!

Steps:

1) cp /usr/portage/net-misc/openssh/openssh-7.1_p1-r2.ebuild into your local overlay

(If you don't have one, you may need to cp -r the whole /usr/portage/net-misc/openssh/ directory into your overlay to get all the other patches in files/ too)

2) Modify "openssh-7.1_p1-r2.ebuild" to put back the tcp-wrappers bits

(Or use this handy patch of what I did earlier!):

```

--- openssh-7.1_p1-r2.ebuild   2015-11-19 23:49:03.443146693 +0000

+++ openssh-7.1_p1-r20.ebuild   2015-11-19 23:48:14.557713695 +0000

@@ -30,7 +30,7 @@

 SLOT="0"

 KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"

 # Probably want to drop ssl defaulting to on in a future version.

-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static X X509"

+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static tcpd X X509"

 REQUIRED_USE="ldns? ( ssl )

    pie? ( !static )

    ssh1? ( ssl )

@@ -54,7 +54,8 @@

       )

       libressl? ( dev-libs/libressl[static-libs(+)] )

    )

-   >=sys-libs/zlib-1.2.3[static-libs(+)]"

+   >=sys-libs/zlib-1.2.3[static-libs(+)]

+   tcpd? ( >=sys-apps/tcp-wrappers-7.6[static-libs(+)] )"

 RDEPEND="

    !static? ( ${LIB_DEPEND//\[static-libs(+)]} )

    pam? ( virtual/pam )

@@ -90,11 +91,11 @@

       die "booooo"

    fi

 

-   # Make sure people who are using tcp wrappers are notified of its removal. #531156

-   if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then

-      ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"

-      ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."

-   fi

+#   # Make sure people who are using tcp wrappers are notified of its removal. #531156

+#   if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then

+#      ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"

+#      ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."

+#   fi

 }

 

 save_version() {

@@ -167,6 +168,8 @@

       printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"

    ) > version.h

 

+   epatch "${FILESDIR}"/${PN}-7.0p1-libwrap.diff

+

    eautoreconf

 }

 

@@ -196,6 +199,7 @@

       $(use_with sctp)

       $(use_with selinux)

       $(use_with skey)

+      $(use_with tcpd tcp-wrappers)

       $(use_with ssh1)

       # The X509 patch deletes this option entirely.

       $(use X509 || use_with ssl openssl)

```

3) Goto http://sourceforge.net/projects/mancha/files/misc/ and download "openssh-7.0p1-libwrap.diff" - Put this in your openssh overlay's files/ directory

(Or, if it's down/blocked/missing, cat this into <overlay>/net-misc/openssh/files):

```

From 8d9ff6155babded6ec6b866788c6dc6366b73b1e Mon Sep 17 00:00:00 2001

From: mancha <mancha1 AT zoho DOT com>

Date: Tue, 11 Aug 2015

Subject: Re-introduce TCP Wrapper support

Support for TCP Wrapper was dropped as of OpenSSH 6.7. This patch

resurrects the feature for OpenSSH 7.0p1.

---

 configure.ac |   57 +++++++++++++++++++++++++++++++++++++++++++++++++++++

 sshd.8       |    7 +++++++

 sshd.c       |   25 +++++++++++++++++++++++

 3 files changed, 89 insertions(+)

--- a/configure.ac

+++ b/configure.ac

@@ -1424,6 +1424,62 @@ AC_ARG_WITH([skey],

    ]

 )

 

+# Check whether user wants TCP wrappers support

+TCPW_MSG="no"

+AC_ARG_WITH([tcp-wrappers],

+   [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],

+   [

+      if test "x$withval" != "xno" ; then

+         saved_LIBS="$LIBS"

+         saved_LDFLAGS="$LDFLAGS"

+         saved_CPPFLAGS="$CPPFLAGS"

+         if test -n "${withval}" && \

+             test "x${withval}" != "xyes"; then

+            if test -d "${withval}/lib"; then

+               if test -n "${need_dash_r}"; then

+                  LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"

+               else

+                  LDFLAGS="-L${withval}/lib ${LDFLAGS}"

+               fi

+            else

+               if test -n "${need_dash_r}"; then

+                  LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"

+               else

+                  LDFLAGS="-L${withval} ${LDFLAGS}"

+               fi

+            fi

+            if test -d "${withval}/include"; then

+               CPPFLAGS="-I${withval}/include ${CPPFLAGS}"

+            else

+               CPPFLAGS="-I${withval} ${CPPFLAGS}"

+            fi

+         fi

+         LIBS="-lwrap $LIBS"

+         AC_MSG_CHECKING([for libwrap])

+         AC_LINK_IFELSE([AC_LANG_PROGRAM([[

+#include <sys/types.h>

+#include <sys/socket.h>

+#include <netinet/in.h>

+#include <tcpd.h>

+int deny_severity = 0, allow_severity = 0;

+            ]], [[

+   hosts_access(0);

+            ]])], [

+               AC_MSG_RESULT([yes])

+               AC_DEFINE([LIBWRAP], [1],

+                  [Define if you want

+                  TCP Wrappers support])

+               SSHDLIBS="$SSHDLIBS -lwrap"

+               TCPW_MSG="yes"

+            ], [

+               AC_MSG_ERROR([*** libwrap missing])

+            

+         ])

+         LIBS="$saved_LIBS"

+      fi

+   ]

+)

+

 # Check whether user wants to use ldns

 LDNS_MSG="no"

 AC_ARG_WITH(ldns,

@@ -4929,6 +4985,7 @@ echo "                 KerberosV support

 echo "                   SELinux support: $SELINUX_MSG"

 echo "                 Smartcard support: $SCARD_MSG"

 echo "                     S/KEY support: $SKEY_MSG"

+echo "              TCP Wrappers support: $TCPW_MSG"

 echo "              MD5 password support: $MD5_MSG"

 echo "                   libedit support: $LIBEDIT_MSG"

 echo "  Solaris process contract support: $SPC_MSG"

--- a/sshd.8

+++ b/sshd.8

@@ -850,6 +850,12 @@ the user's home directory becomes access

 This file should be writable only by the user, and need not be

 readable by anyone else.

 .Pp

+.It Pa /etc/hosts.allow

+.It Pa /etc/hosts.deny

+Access controls that should be enforced by tcp-wrappers are defined here.

+Further details described in

+.Xr hosts_access 5 .

+.Pp

 .It Pa /etc/hosts.equiv

 This file is for host-based authentication (see

 .Xr ssh 1 ) .

@@ -953,6 +959,7 @@ The content of this file is not sensitiv

 .Xr ssh-keygen 1 ,

 .Xr ssh-keyscan 1 ,

 .Xr chroot 2 ,

+.Xr hosts_access 5 ,

 .Xr login.conf 5 ,

 .Xr moduli 5 ,

 .Xr sshd_config 5 ,

--- a/sshd.c

+++ b/sshd.c

@@ -126,6 +126,13 @@

 #include "version.h"

 #include "ssherr.h"

 

+#ifdef LIBWRAP

+#include <tcpd.h>

+#include <syslog.h>

+int allow_severity;

+int deny_severity;

+#endif /* LIBWRAP */

+

 #ifndef O_NOCTTY

 #define O_NOCTTY   0

 #endif

@@ -2138,6 +2145,24 @@ main(int ac, char **av)

 #ifdef SSH_AUDIT_EVENTS

    audit_connection_from(remote_ip, remote_port);

 #endif

+#ifdef LIBWRAP

+   allow_severity = options.log_facility|LOG_INFO;

+   deny_severity = options.log_facility|LOG_WARNING;

+   /* Check whether logins are denied from this host. */

+   if (packet_connection_is_on_socket()) {

+      struct request_info req;

+

+      request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);

+      fromhost(&req);

+

+      if (!hosts_access(&req)) {

+         debug("Connection refused by tcp wrapper");

+         refuse(&req);

+         /* NOTREACHED */

+         fatal("libwrap refuse returns");

+      }

+   }

+#endif /* LIBWRAP */

 

    /* Log the connection. */

    laddr = get_local_ipaddr(sock_in);

```

 4) In the overlay for openssh, run:

```
ebuild openssh-7.1_p1-r2.ebuild digest
```

And you're done! Now you can have openssh with tcpwrappers enabled once more!

Kudos to mancha for creating the patch that makes this possible!

Props to Gentoo for being the best distro ever and making integrating these mods so easily done by end users! (Seriously, what other distro can you do this in??)

----------

## MP1

Thanks for the help in keeping this critical feature alive!

----------

