[PATCH] tcp-wrappers support extended to x11 forwards

Tue Nov 27 18:46:40 EST 2001

Hi!

Here is the patch to support tcp wrappers with x11-forwarded connections.

The patch is for openssh-3.0.1p1 but it works fine with 2.9.9p2 too.


I've understood that this will not be included in the official version
because it adds complexity (?!) to openssh.

Binding the forwarded port to localhost doesn't solve all problems. I've
understood that you should also implement forwarding for x11 unix domain
sockets.

Therefore I would ask you to reconsider of putting something like my patch 
here into official version of openssh.

After all, it uses tcp wrappers only if they are enabled as configure option.

There is a reason why port 22 has support for tcp-wrappers. I think that
same reason applies to x11 forwarded ports.

If the forwarded port can be bound to localhost and it doesn't cause any
additional problems then this patch is obsolete.

Since there is no working solution to the localhost display would you please
consider this patch?


All comments are wellcome.

-- 
  Osmo Paananen 

-------------- next part --------------
diff -u openssh-3.0.1p1/channels.c openssh-modified/channels.c

--- openssh-3.0.1p1/channels.c	Fri Oct 12 04:35:05 2001
+++ openssh-modified/channels.c	Mon Nov 26 15:53:04 2001
@@ -55,6 +55,12 @@
 #include "key.h"
 #include "authfd.h"
 
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+extern int allow_severity;
+extern int deny_severity;
+#endif /* LIBWRAP */
 
 /* -- channel core */
 
@@ -1006,6 +1012,25 @@
 			error("accept: %.100s", strerror(errno));
 			return;
 		}
+#ifdef LIBWRAP
+		/* XXX LIBWRAP noes not know about IPv6 */
+		{
+		  struct request_info req;
+		  
+		  request_init(&req, RQ_DAEMON, "sshdfwd-X11", RQ_FILE, newsock, 0);
+		  fromhost(&req);
+		  
+		  if (!hosts_access(&req)) {
+		    syslog(deny_severity, "refused fwd-X11 connect from %s", eval_client(&req));
+		    close(newsock);
+		    
+		    return;
+		  }
+		  syslog(allow_severity, "fwd-X11 connect from %s", eval_client(&req));
+
+        }
+#endif /* LIBWRAP */ 
+
 		remote_ipaddr = get_peer_ipaddr(newsock);
 		remote_port = get_peer_port(newsock);
 		snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
diff -u openssh-3.0.1p1/ssh-keyscan.c openssh-modified/ssh-keyscan.c
--- openssh-3.0.1p1/ssh-keyscan.c	Wed Nov 14 23:40:45 2001
+++ openssh-modified/ssh-keyscan.c	Mon Nov 26 14:04:42 2001
@@ -34,6 +34,13 @@
 #include "atomicio.h"
 #include "misc.h"
 
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity = LOG_INFO;
+int deny_severity = LOG_WARNING;
+#endif /* LIBWRAP */
+
 /* Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
    Default value is AF_UNSPEC means both IPv4 and IPv6. */
 #ifdef IPV4_DEFAULT
diff -u openssh-3.0.1p1/ssh.c openssh-modified/ssh.c
--- openssh-3.0.1p1/ssh.c	Mon Nov 12 01:52:04 2001
+++ openssh-modified/ssh.c	Mon Nov 26 14:04:42 2001
@@ -80,6 +80,15 @@
 char *__progname;
 #endif
 
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity = LOG_INFO;
+int deny_severity = LOG_WARNING;
+#endif /* LIBWRAP */
+
+
+
 /* Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
    Default value is AF_UNSPEC means both IPv4 and IPv6. */
 #ifdef IPV4_DEFAULT
