# net-misc/openssh-7.5_p1-r1 patched for tcpwrappers support

## Cyker

Ooops, it's been a while! I actually forgot about this and only noticed it'd been updated because, after my last sync, I was getting a shed-load of brute-force probes up the ssh that should have been blocked.

This will put back tcpwrappers support so openssh will properly block hosts and so that things like fail2ban and denyhosts will function as intended.

Steps:

1) cp /usr/portage/net-misc/openssh/openssh-7.5_p1-r1.ebuild into the corresponding place in your local overlay

2) Copy everything from /usr/portage/net-misc/openssh/files/ into your overlay's corresponding openssh/files/ directory

3) Edit "openssh-7.5_p1-r1.ebuild" to put back the tcp-wrappers useflags and support

Here's a patch of what I did:

```

--- /usr/portage/net-misc/openssh/openssh-7.5_p1-r1.ebuild      2017-06-21 12:52:30.000000000 +0100

+++ /usr/local/portage/net-misc/openssh/openssh-7.5_p1-r10.ebuild       2017-07-29 19:08:47.524051474 +0100

@@ -27,7 +27,7 @@

 SLOT="0"

 KEYWORDS="alpha amd64 arm ~arm64 ~hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"

 # Probably want to drop ssl defaulting to on in a future version.

-IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"

+IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static tcpd test X X509"

 REQUIRED_USE="ldns? ( ssl )

        pie? ( !static )

        ssh1? ( ssl )

@@ -53,6 +53,7 @@

                )

                libressl? ( dev-libs/libressl:0=[static-libs(+)] )

        )

+       tcpd? ( >=sys-apps/tcp-wrappers-7.6[static-libs(+)] )

        >=sys-libs/zlib-1.2.3:=[static-libs(+)]"

 RDEPEND="

        !static? ( ${LIB_DEPEND//\[static-libs(+)]} )

@@ -88,12 +89,6 @@

                eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"

                die "booooo"

        fi

-

-       # Make sure people who are using tcp wrappers are notified of its removal. #531156

-       if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then

-               ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"

-               ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."

-       fi

 }

 save_version() {

@@ -172,6 +167,8 @@

                printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"

        ) > version.h

+       epatch "${FILESDIR}"/${PN}-7.5p1-libwrap.diff

+

        eautoreconf

 }

@@ -202,6 +199,7 @@

                $(use X509 || use_with sctp)

                $(use_with selinux)

                $(use_with skey)

+               $(use_with tcpd tcp-wrappers)

                $(use_with ssh1)

                $(use_with ssl openssl)

                $(use_with ssl md5-passwords)

```

4) Goto http://sourceforge.net/projects/mancha/files/misc/ and download "openssh-7.5p1-libwrap.diff" - Put this in your openssh overlay's files/ directory as well

(Or, if it's down/blocked/missing, cat this into <overlay>/net-misc/openssh/files):

```

From 6dc0a5224363f8c6a09dc423b1520e7ac40a94b7 Mon Sep 17 00:00:00 2001

From: mancha <mancha1 AT zoho DOT com>

Date: Tue, 18 Jul 2017

Subject: Re-introduce TCP Wrapper support

Support for TCP Wrapper was dropped as of OpenSSH 6.7. This patch

resurrects the feature for OpenSSH 7.5p1.

Note, make sure to: autoreconf -fiv

---

 configure.ac |   58 +++++++++++++++++++++++++++++++++++++++++++++++

 sshd.8       |    7 ++++++

 sshd.c       |   25 ++++++++++++++++++++

 3 files changed, 90 insertions(+)

--- a/configure.ac

+++ b/configure.ac

@@ -1165,6 +1165,7 @@

 dnl Checks for header files.

 # Checks for libraries.

 AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])

+AC_CHECK_FUNC([yp_match], , [AC_CHECK_LIB([nsl], [yp_match])])

 dnl IRIX and Solaris 2.5.1 have dirname() in libgen

 AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [

@@ -1470,6 +1471,62 @@

        ]

 )

+# Check whether user wants TCP wrappers support

+TCPW_MSG="no"

+AC_ARG_WITH([tcp-wrappers],

+       [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],

+       [

+               if test "x$withval" != "xno" ; then

+                       saved_LIBS="$LIBS"

+                       saved_LDFLAGS="$LDFLAGS"

+                       saved_CPPFLAGS="$CPPFLAGS"

+                       if test -n "${withval}" && \

+                           test "x${withval}" != "xyes"; then

+                               if test -d "${withval}/lib"; then

+                                       if test -n "${need_dash_r}"; then

+                                               LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"

+                                       else

+                                               LDFLAGS="-L${withval}/lib ${LDFLAGS}"

+                                       fi

+                               else

+                                       if test -n "${need_dash_r}"; then

+                                               LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"

+                                       else

+                                               LDFLAGS="-L${withval} ${LDFLAGS}"

+                                       fi

+                               fi

+                               if test -d "${withval}/include"; then

+                                       CPPFLAGS="-I${withval}/include ${CPPFLAGS}"

+                               else

+                                       CPPFLAGS="-I${withval} ${CPPFLAGS}"

+                               fi

+                       fi

+                       LIBS="-lwrap $LIBS"

+                       AC_MSG_CHECKING([for libwrap])

+                       AC_LINK_IFELSE([AC_LANG_PROGRAM([[

+#include <sys/types.h>

+#include <sys/socket.h>

+#include <netinet/in.h>

+#include <tcpd.h>

+int deny_severity = 0, allow_severity = 0;

+                               ]], [[

+       hosts_access(0);

+                               ]])], [

+                                       AC_MSG_RESULT([yes])

+                                       AC_DEFINE([LIBWRAP], [1],

+                                               [Define if you want

+                                               TCP Wrappers support])

+                                       SSHDLIBS="$SSHDLIBS -lwrap"

+                                       TCPW_MSG="yes"

+                               ], [

+                                       AC_MSG_ERROR([*** libwrap missing])

+

+                       ])

+                       LIBS="$saved_LIBS"

+               fi

+       ]

+)

+

 # Check whether user wants to use ldns

 LDNS_MSG="no"

 AC_ARG_WITH(ldns,

@@ -5093,6 +5150,7 @@

 echo "                   SELinux support: $SELINUX_MSG"

 echo "                 Smartcard support: $SCARD_MSG"

 echo "                     S/KEY support: $SKEY_MSG"

+echo "              TCP Wrappers support: $TCPW_MSG"

 echo "              MD5 password support: $MD5_MSG"

 echo "                   libedit support: $LIBEDIT_MSG"

 echo "                   libldns support: $LDNS_MSG"

--- a/sshd.8

+++ b/sshd.8

@@ -825,6 +825,12 @@ the user's home directory becomes access

 This file should be writable only by the user, and need not be

 readable by anyone else.

 .Pp

+.It Pa /etc/hosts.allow

+.It Pa /etc/hosts.deny

+Access controls that should be enforced by tcp-wrappers are defined here.

+Further details described in

+.Xr hosts_access 5 .

+.Pp

 .It Pa /etc/hosts.equiv

 This file is for host-based authentication (see

 .Xr ssh 1 ) .

@@ -929,6 +935,7 @@ The content of this file is not sensitiv

 .Xr ssh-keygen 1 ,

 .Xr ssh-keyscan 1 ,

 .Xr chroot 2 ,

+.Xr hosts_access 5 ,

 .Xr login.conf 5 ,

 .Xr moduli 5 ,

 .Xr sshd_config 5 ,

--- a/sshd.c

+++ b/sshd.c

@@ -123,6 +123,13 @@

 #include "version.h"

 #include "ssherr.h"

+#ifdef LIBWRAP

+#include <tcpd.h>

+#include <syslog.h>

+int allow_severity;

+int deny_severity;

+#endif /* LIBWRAP */

+

 /* Re-exec fds */

 #define REEXEC_DEVCRYPTO_RESERVED_FD   (STDERR_FILENO + 1)

 #define REEXEC_STARTUP_PIPE_FD         (STDERR_FILENO + 2)

@@ -1985,6 +1992,24 @@ main(int ac, char **av)

 #ifdef SSH_AUDIT_EVENTS

        audit_connection_from(remote_ip, remote_port);

 #endif

+#ifdef LIBWRAP

+       allow_severity = options.log_facility|LOG_INFO;

+       deny_severity = options.log_facility|LOG_WARNING;

+       /* Check whether logins are denied from this host. */

+       if (packet_connection_is_on_socket()) {

+               struct request_info req;

+

+               request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);

+               fromhost(&req);

+

+               if (!hosts_access(&req)) {

+                       debug("Connection refused by tcp wrapper");

+                       refuse(&req);

+                       /* NOTREACHED */

+                       fatal("libwrap refuse returns");

+               }

+       }

+#endif /* LIBWRAP */

        /* Log the connection. */

        laddr = get_local_ipaddr(sock_in);

```

5) In the overlay directory for openssh, run:

```
ebuild openssh-7.5_p1-r1.ebuild digest
```

Hopefully you'll then be able to run emerge -av openssh and get a working ssh with tcpwrappers support; You may notice my one is r10 - That is to make sure it supersedes the -r1 one; If it was -r2 I'd make mine -r20 etc.

Kudos to mancha for keeping up these patches and keeping things like fail2ban and denyhosts alive on newer opensshs!

----------

