# net-misc/openssh-6.9_p1-r2 and tcpwrappers [PATCHED!]

## Cyker

Summary:

1) Will openssh-6.7 continue to be supported for a long time?

2) Else, what is the recommended alternative to hosts.{allow,deny} and SEC blacklisting?

Verbose:

Another emerge --sync, another problem...! (lol)

It seems as of v6.9, openssh no longer supports tcpwrappers. (Eek!)

As tcpwrappers is the primary guardian for my ssh'ing, this is obviously quite a big problem. (Erk)

As I see it I have two options:

1) Mask >net-misc/openssh-6.9

2) Roll an alternative to tcpwrappers + SEC

1) is an easy default, but I am concerned it will stop being supported in the near future.

2) will, I suspect, require considerably more zots to execute; If this future-proofs it, I don't mind, but I will require suggestions and help.

I currently have some known systems whitelisted with hosts.deny, and am using SEC to scan for sshd breach attempts and add them to hosts.deny.

The setup has been tweaked a lot over time, and works pretty well with some extra rules to defeat sneakiness, which is why I'm reluctant to throw it all away.

What are your thoughts for options and implementation for option 2?Last edited by Cyker on Wed Jul 22, 2015 8:57 pm; edited 1 time in total

----------

## eccerr0r

Interesting:

 *Changelog of openssh 6.7 wrote:*   

> 20140612 - (dtucker) [configure.ac] Remove tcpwrappers support, support has already
> 
>    been removed from sshd.c.

 

I wonder how long it's been gone, I think 6.7 didn't have support, either.

I haven't noticed, always thought that new hosts keep hitting my machine despite using tcpwrappers.  I just ignored them and hope hostkey/password is sufficient to not let them in, despite the distributed and dictionary attacks...

----------

## Cyker

 :Shocked: 

Oh shi-<CARRIER LOST>

----------

## eccerr0r

Apparently there's other distributions that question whether people were still using tcpwrappers instead of using firewall rules, etc.  But I suppose there are still people who use tcpwrappers.

Anyone else still using tcpwrappers?

Should tcpwrappers be put back in?   I'd think it's slowly going away for most things as it's slow...

----------

## Cyker

Well I would think so since it seems most early-deny monitors like fail2ban and denyhosts also use tcp-wrappers as their primary blacklisting mechanism...

I mainly use it because it's very simple to set up and has been tried and tested. Also I don't currently know of an equivalent alternative.

Still, it's kind of a dick move of the openssh guys to remove support of a fairly critical security feature without any major warning; If it wasn't for the warning in the ebuild I'd never have even known!!!  :Shocked: 

From what I've seen it's not just me; A fair number of people have been caught out by this too judging by the posts begging them and/or distro maintainers to put it back in floating around.

Even our distro maintainers were caught out it seems as they didn't notice the removal in 6.7 either, and only put the warnings in in later versions (Annoyingly, after the last versions that still had it had fallen out the tree!)

Still, it doesn't look too hard to patch it back in; I have found a small patch for

6.7p1 at http://www.gossamer-threads.com/lists/openssh/dev/59543

and

6.9p1 at http://www.gossamer-threads.com/lists/openssh/dev/62743

which puts back tcp-wrappers support so I'll see how that goes...

Judging by the need for autoreconf I think some ebuild massaging will be needed...

----------

## Cyker

Well that was a lot easier than I thought! \:D/

+1 to Portage's flexibility! :)

WOT I DID:

1) cp -r /usr/portage/net-misc/openssh into local overlay

2) Modify openssh-6.9_p1-r2.ebuild to put back the tcp-wrappers bits

(Or use this handy patch of what I did earlier!)

```

--- openssh-6.9_p1-r2.ebuild   2015-07-22 10:20:22.419265771 +0100

+++ openssh-6.9_p1-r20.ebuild   2015-07-22 18:19:26.733580702 +0100

@@ -30,7 +30,7 @@

 SLOT="0"

 KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ~ppc ppc64 s390 sh ~sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"

 # Probably want to drop ssl defaulting to on in a future version.

-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static X X509"

+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static tcpd X X509"

 REQUIRED_USE="pie? ( !static )

    ssh1? ( ssl )

    static? ( !kerberos !pam )

@@ -44,7 +44,8 @@

       >=dev-libs/openssl-0.9.6d:0[bindist=]

       dev-libs/openssl[static-libs(+)]

    )

-   >=sys-libs/zlib-1.2.3[static-libs(+)]"

+   >=sys-libs/zlib-1.2.3[static-libs(+)]

+   tcpd? ( >=sys-apps/tcp-wrappers-7.6[static-libs(+)] )"

 RDEPEND="

    !static? (

       ${LIB_DEPEND//\[static-libs(+)]}

@@ -92,12 +93,12 @@

       die "booooo"

    fi

 

-   # Make sure people who are using tcp wrappers are notified of its removal. #531156

-   if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then

-      eerror "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"

-      eerror "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."

-      die "USE=tcpd no longer works"

-   fi

+#   # Make sure people who are using tcp wrappers are notified of its removal. #531156

+#   if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then

+#      eerror "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"

+#      eerror "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."

+#      die "USE=tcpd no longer works"

+#   fi

 }

 

 save_version() {

@@ -168,6 +169,8 @@

       printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"

    ) > version.h

 

+   epatch "${FILESDIR}"/${PN}-6.9p1-libwrap.diff

+

    eautoreconf

 }

 

@@ -198,6 +201,7 @@

       $(use_with sctp)

       $(use_with selinux)

       $(use_with skey)

+      $(use_with tcpd tcp-wrappers)

       $(use_with ssh1)

       # The X509 patch deletes this option entirely.

       $(use X509 || use_with ssl openssl)

```

3) Download the tcp-wrapper patch I posted in the previous post and put it in files/ (or cat this into <overlay>/net-misc/openssh/files)

```

From 6528336124b7736040e2e55fb2d1a105b9b382f3 Mon Sep 17 00:00:00 2001

From: mancha <mancha1 AT zoho DOT com>

Date: Wed, 1 Jul 2015

Subject: Re-introduce TCP Wrapper support

Support for TCP Wrapper was dropped as of OpenSSH 6.7. This patch

resurrects the feature for OpenSSH 6.9p1.

Note: autoreconf -fiv and configure with --with-tcp-wrappers

---

 configure.ac |   57 +++++++++++++++++++++++++++++++++++++++++++++++++++++

 sshd.8       |    7 +++++++

 sshd.c       |   25 +++++++++++++++++++++++

 3 files changed, 89 insertions(+)

--- a/configure.ac

+++ b/configure.ac

@@ -1424,6 +1424,62 @@ AC_ARG_WITH([skey],

    ]

 )

 

+# Check whether user wants TCP wrappers support

+TCPW_MSG="no"

+AC_ARG_WITH([tcp-wrappers],

+   [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],

+   [

+      if test "x$withval" != "xno" ; then

+         saved_LIBS="$LIBS"

+         saved_LDFLAGS="$LDFLAGS"

+         saved_CPPFLAGS="$CPPFLAGS"

+         if test -n "${withval}" && \

+             test "x${withval}" != "xyes"; then

+            if test -d "${withval}/lib"; then

+               if test -n "${need_dash_r}"; then

+                  LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"

+               else

+                  LDFLAGS="-L${withval}/lib ${LDFLAGS}"

+               fi

+            else

+               if test -n "${need_dash_r}"; then

+                  LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"

+               else

+                  LDFLAGS="-L${withval} ${LDFLAGS}"

+               fi

+            fi

+            if test -d "${withval}/include"; then

+               CPPFLAGS="-I${withval}/include ${CPPFLAGS}"

+            else

+               CPPFLAGS="-I${withval} ${CPPFLAGS}"

+            fi

+         fi

+         LIBS="-lwrap $LIBS"

+         AC_MSG_CHECKING([for libwrap])

+         AC_LINK_IFELSE([AC_LANG_PROGRAM([[

+#include <sys/types.h>

+#include <sys/socket.h>

+#include <netinet/in.h>

+#include <tcpd.h>

+int deny_severity = 0, allow_severity = 0;

+            ]], [[

+   hosts_access(0);

+            ]])], [

+               AC_MSG_RESULT([yes])

+               AC_DEFINE([LIBWRAP], [1],

+                  [Define if you want

+                  TCP Wrappers support])

+               SSHDLIBS="$SSHDLIBS -lwrap"

+               TCPW_MSG="yes"

+            ], [

+               AC_MSG_ERROR([*** libwrap missing])

+            

+         ])

+         LIBS="$saved_LIBS"

+      fi

+   ]

+)

+

 # Check whether user wants to use ldns

 LDNS_MSG="no"

 AC_ARG_WITH(ldns,

@@ -4904,6 +4960,7 @@ echo "                 KerberosV support

 echo "                   SELinux support: $SELINUX_MSG"

 echo "                 Smartcard support: $SCARD_MSG"

 echo "                     S/KEY support: $SKEY_MSG"

+echo "              TCP Wrappers support: $TCPW_MSG"

 echo "              MD5 password support: $MD5_MSG"

 echo "                   libedit support: $LIBEDIT_MSG"

 echo "  Solaris process contract support: $SPC_MSG"

--- a/sshd.8

+++ b/sshd.8

@@ -853,6 +853,12 @@ the user's home directory becomes access

 This file should be writable only by the user, and need not be

 readable by anyone else.

 .Pp

+.It Pa /etc/hosts.allow

+.It Pa /etc/hosts.deny

+Access controls that should be enforced by tcp-wrappers are defined here.

+Further details described in

+.Xr hosts_access 5 .

+.Pp

 .It Pa /etc/hosts.equiv

 This file is for host-based authentication (see

 .Xr ssh 1 ) .

@@ -956,6 +962,7 @@ The content of this file is not sensitiv

 .Xr ssh-keygen 1 ,

 .Xr ssh-keyscan 1 ,

 .Xr chroot 2 ,

+.Xr hosts_access 5 ,

 .Xr login.conf 5 ,

 .Xr moduli 5 ,

 .Xr sshd_config 5 ,

--- a/sshd.c

+++ b/sshd.c

@@ -125,6 +125,13 @@

 #include "version.h"

 #include "ssherr.h"

 

+#ifdef LIBWRAP

+#include <tcpd.h>

+#include <syslog.h>

+int allow_severity;

+int deny_severity;

+#endif /* LIBWRAP */

+

 #ifndef O_NOCTTY

 #define O_NOCTTY   0

 #endif

@@ -2134,6 +2141,24 @@ main(int ac, char **av)

 #ifdef SSH_AUDIT_EVENTS

    audit_connection_from(remote_ip, remote_port);

 #endif

+#ifdef LIBWRAP

+   allow_severity = options.log_facility|LOG_INFO;

+   deny_severity = options.log_facility|LOG_WARNING;

+   /* Check whether logins are denied from this host. */

+   if (packet_connection_is_on_socket()) {

+      struct request_info req;

+

+      request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);

+      fromhost(&req);

+

+      if (!hosts_access(&req)) {

+         debug("Connection refused by tcp wrapper");

+         refuse(&req);

+         /* NOTREACHED */

+         fatal("libwrap refuse returns");

+      }

+   }

+#endif /* LIBWRAP */

 

    /* Log the connection. */

    laddr = get_local_ipaddr(sock_in);

```

4) In the overlay for openssh, run

```
ebuild openssh-6.9_p1-r2.ebuild digest
```

And you're done! Now emerge updating openssh should put back tcp-wrappers, putting back a layer of security and re-enabling things like fail2ban and denyhosts (And my SEC monitor!)

I'm still open to suggestions for alternatives, but this'll do me for now ^____^

----------

## gordonp

 *eccerr0r wrote:*   

> Anyone else still using tcpwrappers?
> 
> Should tcpwrappers be put back in?

 

Yes... to both Qs.

I believe in defense-in-depth, and tcpd is a valuable belt in addition to suspenders.

----------

## eccerr0r

Who volunteers to get this patch kept in Gentoo, so whenever openssl/openssh versionbumps, the patch also gets fixed? :o

If enough people still want it, might have to get openssh to re-include it.

I've pretty much migrated out of tcpwrappers for ssh, mostly because maintaining huge deny files was a PITA.  Sigh...doing what the openssh guys wanted...

----------

