heads up: tcpwrappers support going away
Damien Miller
djm at mindrot.org
Thu Apr 24 10:07:13 EST 2014
On Thu, 24 Apr 2014, Damien Miller wrote:
> On Wed, 23 Apr 2014, Damien Miller wrote:
>
> > A simple way out of this would be adding "Match exec" support to sshd_config
> > like ssh_config got in the last couple of releases. Anyone want to do this?
>
> like this:
>
> Index: servconf.c
...
and applied using:
Match exec "/path/to/wrapssh '%h' '%a' '%l' '%A'"
MaxAuthTries 0
with a helper as simple as: (btw, I'd accept a fleshed-out version of this
for contrib/ if anyone wants to do the work)
#include <syslog.h>
#include <tcpd.h>
int
main(int argc, char **argv)
{
struct request_info req;
openlog("sshd-tcpwrap", LOG_NDELAY|LOG_PERROR|LOG_PID, LOG_AUTH);
/* Client host, client address, server host, server address */
if (argc != 5) {
syslog(LOG_ERR, "expected 4 arguments, got %d", argc - 1);
return 2;
}
request_init(&req,
RQ_DAEMON, "sshd",
RQ_CLIENT_NAME, argv[1],
RQ_CLIENT_ADDR, argv[2],
RQ_SERVER_NAME, argv[3],
RQ_SERVER_ADDR, argv[4],
0);
if (!hosts_access(&req)) {
syslog(LOG_ERR, "tcpwrappers refused connection");
return 1;
}
return 0;
}
More information about the openssh-unix-dev
mailing list