# net-misc/openssh-7.3_p1-r6 and tcpwrappers [PATCHED!]

## Cyker

Yikes, bit more of a hassle this time as there are a lot of extra patches!

Mainly the same as before, just remember to copy all the patches in files/ over!

Steps:

1) cp /usr/portage/net-misc/openssh/openssh-7.3_p1-r6.ebuild into your local overlay

(If you don't have one, you may need to cp -r the whole /usr/portage/net-misc/openssh/ directory into your overlay to get all the other patches in files/ too)

1a) Also copy /usr/portage/net-misc/openssh/files/openssh-7.3* into your overlay's files/ directory!

2) Modify "openssh-7.3_p1-r6.ebuild" to put back the tcp-wrappers bits

(Or use this handy patch of what I did earlier!):

```

--- openssh-7.3_p1-r6.ebuild   2016-10-08 22:50:40.518287358 +0100

+++ openssh-7.3_p1-r10.ebuild   2016-10-08 22:56:08.473368265 +0100

@@ -33,7 +33,7 @@

 SLOT="0"

 KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"

 # Probably want to drop ssl defaulting to on in a future version.

-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"

+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static tcpd test X X509"

 REQUIRED_USE="ldns? ( ssl )

    pie? ( !static )

    ssh1? ( ssl )

@@ -58,6 +58,7 @@

       )

       libressl? ( dev-libs/libressl[static-libs(+)] )

    )

+   tcpd? ( >=sys-apps/tcp-wrappers-7.6[static-libs(+)] )

    >=sys-libs/zlib-1.2.3[static-libs(+)]"

 RDEPEND="

    !static? ( ${LIB_DEPEND//\[static-libs(+)]} )

@@ -94,11 +95,11 @@

       die "booooo"

    fi

 

-   # Make sure people who are using tcp wrappers are notified of its removal. #531156

-   if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then

-      ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"

-      ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."

-   fi

 }

 

 save_version() {

@@ -186,6 +187,8 @@

       printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"

    ) > version.h

 

+   epatch "${FILESDIR}"/${PN}-7.3p1-libwrap.diff

+

    eautoreconf

 }

 

@@ -215,6 +218,7 @@

       $(use_with sctp)

       $(use_with selinux)

       $(use_with skey)

+      $(use_with tcpd tcp-wrappers)

       $(use_with ssh1)

       $(use_with ssl openssl)

       $(use_with ssl md5-passwords)

```

3) Goto http://sourceforge.net/projects/mancha/files/misc/ and download "openssh-7.3p1-libwrap.diff" - Put this in your openssh overlay's files/ directory

(Or, if it's down/blocked/missing, cat this into <overlay>/net-misc/openssh/files):

```

From d27f95ec0c88f491564813a2872e6335edbb4c05 Mon Sep 17 00:00:00 2001

From: mancha <mancha1 AT zoho DOT com>

Date: Tue, 9 Aug 2016

Subject: Re-introduce TCP Wrapper support

Support for TCP Wrapper was dropped as of OpenSSH 6.7. This patch

resurrects the feature for OpenSSH 7.3p1.

Note, make sure to: autoreconf -fiv

---

 configure.ac |   58 +++++++++++++++++++++++++++++++++++++++++++++++

 sshd.8       |    7 ++++++

 sshd.c       |   25 ++++++++++++++++++++

 3 files changed, 90 insertions(+)

--- a/configure.ac

+++ b/configure.ac

@@ -1181,6 +1181,7 @@

 dnl Checks for header files.

 # Checks for libraries.

 AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])

+AC_CHECK_FUNC([yp_match], , [AC_CHECK_LIB([nsl], [yp_match])])

 

 dnl IRIX and Solaris 2.5.1 have dirname() in libgen

 AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [

@@ -1486,6 +1487,62 @@

    ]

 )

 

+# Check whether user wants TCP wrappers support

+TCPW_MSG="no"

+AC_ARG_WITH([tcp-wrappers],

+   [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],

+   [

+      if test "x$withval" != "xno" ; then

+         saved_LIBS="$LIBS"

+         saved_LDFLAGS="$LDFLAGS"

+         saved_CPPFLAGS="$CPPFLAGS"

+         if test -n "${withval}" && \

+             test "x${withval}" != "xyes"; then

+            if test -d "${withval}/lib"; then

+               if test -n "${need_dash_r}"; then

+                  LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"

+               else

+                  LDFLAGS="-L${withval}/lib ${LDFLAGS}"

+               fi

+            else

+               if test -n "${need_dash_r}"; then

+                  LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"

+               else

+                  LDFLAGS="-L${withval} ${LDFLAGS}"

+               fi

+            fi

+            if test -d "${withval}/include"; then

+               CPPFLAGS="-I${withval}/include ${CPPFLAGS}"

+            else

+               CPPFLAGS="-I${withval} ${CPPFLAGS}"

+            fi

+         fi

+         LIBS="-lwrap $LIBS"

+         AC_MSG_CHECKING([for libwrap])

+         AC_LINK_IFELSE([AC_LANG_PROGRAM([[

+#include <sys/types.h>

+#include <sys/socket.h>

+#include <netinet/in.h>

+#include <tcpd.h>

+int deny_severity = 0, allow_severity = 0;

+            ]], [[

+   hosts_access(0);

+            ]])], [

+               AC_MSG_RESULT([yes])

+               AC_DEFINE([LIBWRAP], [1],

+                  [Define if you want

+                  TCP Wrappers support])

+               SSHDLIBS="$SSHDLIBS -lwrap"

+               TCPW_MSG="yes"

+            ], [

+               AC_MSG_ERROR([*** libwrap missing])

+            

+         ])

+         LIBS="$saved_LIBS"

+      fi

+   ]

+)

+

 # Check whether user wants to use ldns

 LDNS_MSG="no"

 AC_ARG_WITH(ldns,

@@ -5035,6 +5092,7 @@

 echo "                   SELinux support: $SELINUX_MSG"

 echo "                 Smartcard support: $SCARD_MSG"

 echo "                     S/KEY support: $SKEY_MSG"

+echo "              TCP Wrappers support: $TCPW_MSG"

 echo "              MD5 password support: $MD5_MSG"

 echo "                   libedit support: $LIBEDIT_MSG"

 echo "  Solaris process contract support: $SPC_MSG"

--- a/sshd.8

+++ b/sshd.8

@@ -880,6 +880,12 @@ the user's home directory becomes access

 This file should be writable only by the user, and need not be

 readable by anyone else.

 .Pp

+.It Pa /etc/hosts.allow

+.It Pa /etc/hosts.deny

+Access controls that should be enforced by tcp-wrappers are defined here.

+Further details described in

+.Xr hosts_access 5 .

+.Pp

 .It Pa /etc/hosts.equiv

 This file is for host-based authentication (see

 .Xr ssh 1 ) .

@@ -986,6 +992,7 @@ The content of this file is not sensitiv

 .Xr ssh-keygen 1 ,

 .Xr ssh-keyscan 1 ,

 .Xr chroot 2 ,

+.Xr hosts_access 5 ,

 .Xr login.conf 5 ,

 .Xr moduli 5 ,

 .Xr sshd_config 5 ,

--- a/sshd.c

+++ b/sshd.c

@@ -125,6 +125,13 @@

 #include "version.h"

 #include "ssherr.h"

 

+#ifdef LIBWRAP

+#include <tcpd.h>

+#include <syslog.h>

+int allow_severity;

+int deny_severity;

+#endif /* LIBWRAP */

+

 #ifndef O_NOCTTY

 #define O_NOCTTY   0

 #endif

@@ -2200,6 +2207,24 @@ main(int ac, char **av)

 #ifdef SSH_AUDIT_EVENTS

    audit_connection_from(remote_ip, remote_port);

 #endif

+#ifdef LIBWRAP

+   allow_severity = options.log_facility|LOG_INFO;

+   deny_severity = options.log_facility|LOG_WARNING;

+   /* Check whether logins are denied from this host. */

+   if (packet_connection_is_on_socket()) {

+      struct request_info req;

+

+      request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);

+      fromhost(&req);

+

+      if (!hosts_access(&req)) {

+         debug("Connection refused by tcp wrapper");

+         refuse(&req);

+         /* NOTREACHED */

+         fatal("libwrap refuse returns");

+      }

+   }

+#endif /* LIBWRAP */

 

    /* Log the connection. */

    laddr = get_local_ipaddr(sock_in);

```

 4) In the overlay for openssh, run:

```
ebuild openssh-7.3_p1-r6.ebuild digest
```

Hopefully you'll then be able to run emerge -av openssh and get a working ssh with tcpwrappers support!

Once again, props to mancha for creating the patches so that I don't have to! ;D

----------

