tcpwrappers ----------- - changes to make it compile under Solaris - changes to let it run on machines that do not have IPv6 enabled
I did not know how to test the TLI part, because i have no test case.
The whole thing (with or without my patches) will not run on Solaris
versions before Solaris 8, i think.
openssh
-------
- changes to 'configure' because the test for the library that contains
nanosleep() needed to be performed before the test for a usable libwrap.
Well, my main goal was to realize a mechanism that accepts ssh logins only
from known hosts. This is difficult when dynamic ip addresses come into
play. There was an article in the german journal iX, that describes some
routines to apply changes to "hosts.allow" controlled by PGP signed mails.
Does anyone know, whether there is a "ready to use" version, somewhere ?
(mk)
Attachments:
tcpwrappers.patch : updated patch
openssh.tar : includes openssh_config.patch and a new version of
openssh.spec
--
Matthias Kurz; Fuldastr. 3; D-28199 Bremen; VOICE +49 421 53 600 47
>> Im pr�motorischen Cortex kann jeder ein Held sein. (bdw) <<
Index: Makefile
===================================================================
RCS file: /cvs/opkg/vendor_stuff/tcpwrappers/Makefile,v
retrieving revision 1.1.1.1
diff -u -u -r1.1.1.1 Makefile
--- Makefile 3 Jan 2003 18:52:40 -0000 1.1.1.1
+++ Makefile 11 Nov 2003 00:18:26 -0000
@@ -128,12 +128,12 @@
386bsd netbsd bsdos:
@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
- EXTRA_CFLAGS=VSYSLOG= all
+ EXTRA_CFLAGS= VSYSLOG= all
freebsd:
@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
- EXTRA_CFLAGS=VSYSLOG= all
+ EXTRA_CFLAGS=-I. VSYSLOG= all
linux:
@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
@@ -183,11 +183,15 @@
# SunOS 5.x is another SYSV4 variant.
sunos5:
- @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
- LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv VSYSLOG= \
+ @case `uname -r` in \
+ 5.6) RTLIB="-lposix4";; \
+ *) RTLIB="-lrt";; \
+ esac; \
+ make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lsocket -lnsl $$RTLIB" RANLIB=echo ARFLAGS=rv VSYSLOG= \
NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \
BUGS="$(BUGS)" all \
- EXTRA_CFLAGS=-DNEED_SETENV
+ EXTRA_CFLAGS="-DNEED_SETENV -DNEED_GETOPT"
# Generic SYSV40
esix sysv4:
Index: fix_options.c
===================================================================
RCS file: /cvs/opkg/vendor_stuff/tcpwrappers/fix_options.c,v
retrieving revision 1.1.1.1
diff -u -u -r1.1.1.1 fix_options.c
--- fix_options.c 5 Jan 2003 01:27:10 -0000 1.1.1.1
+++ fix_options.c 11 Nov 2003 00:18:26 -0000
@@ -47,7 +47,14 @@
clean_exit(request);
}
if (ADDR_FAM(&ss) == AF_INET) {
+#if defined(__FreeBSD__) || defined(__sun__)
+ unsigned char optbuf[BUFFER_SIZE / 3];
+ int optlen;
+ struct in_addr dummy;
+ unsigned char *ucp;
+#else
struct ip_opts optbuf;
+#endif
char lbuf[BUFFER_SIZE], *lp, *cp;
struct protoent *ip;
int optsize = sizeof(optbuf);
@@ -65,9 +72,15 @@
* here was wrong.
*/
+#if defined(__FreeBSD__) || defined(__sun__)
+#define ADDR_LEN sizeof(dummy.s_addr)
+ for (ucp = optbuf + ADDR_LEN; ucp < optbuf + optsize; ucp += optlen) {
+ u_char c = ucp[IPOPT_OPTVAL];
+#else
for (i = 0; (void *)&optbuf.ip_opts[i] - (void *)&optbuf <
optsize; ) {
u_char c = (u_char)optbuf.ip_opts[i];
+#endif
if (c == IPOPT_LSRR || c == IPOPT_SSRR) {
syslog(LOG_WARNING,
"refused connect from %s with IP source routing options",
@@ -77,7 +90,17 @@
}
if (c == IPOPT_EOL)
break;
+#if defined(__FreeBSD__) || defined(__sun__)
+ if (c == IPOPT_NOP)
+ optlen = 1;
+ else {
+ optlen = cp[IPOPT_OLEN];
+ if (optlen <= 0) /* Do not loop! */
+ break;
+ }
+#else
i += (c == IPOPT_NOP) ? 1 : (u_char)optbuf.ip_opts[i+1];
+#endif
}
lp = lbuf;
Index: internal.h
===================================================================
RCS file: /cvs/opkg/vendor_stuff/tcpwrappers/internal.h,v
retrieving revision 1.1.1.1
diff -u -u -r1.1.1.1 internal.h
--- internal.h 4 Jan 2003 23:37:53 -0000 1.1.1.1
+++ internal.h 11 Nov 2003 00:18:26 -0000
@@ -7,6 +7,7 @@
#ifndef IMPL_HEADER
#define IMPL_HEADER
+#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <string.h>
@@ -20,6 +21,12 @@
#define SAIN6( p ) ( (struct sockaddr_in6 *) (p) )
#define ADDR_FAM( p ) ( (p)->sa.sa_family )
+/* Convert IPv4 address that was mapped to an IPv6 address back to IPv4 */
+#ifndef IN6_V4MAPPED_TO_INADDR
+#define IN6_V4MAPPED_TO_INADDR(v6, v4) \
+ memcpy(v4, ((char *)v6) + 12, sizeof(struct in_addr));
+#endif
+
/* Common string operations. Less clutter should be more readable. */
#define STRN_CPY(d,s,l) { strncpy((d),(s),(l)); (d)[(l)-1] = 0; }
Index: setenv.c
===================================================================
RCS file: /cvs/opkg/vendor_stuff/tcpwrappers/setenv.c,v
retrieving revision 1.1.1.1
diff -u -u -r1.1.1.1 setenv.c
--- setenv.c 31 Aug 2002 16:40:34 -0000 1.1.1.1
+++ setenv.c 11 Nov 2003 00:18:26 -0000
@@ -20,7 +20,7 @@
/* setenv - update or insert environment (name,value) pair */
-int my_setenv(const char *name, const char *value, int clobber)
+int setenv(const char *name, const char *value, int clobber)
{
char *cp;
Index: socket.c
===================================================================
RCS file: /cvs/opkg/vendor_stuff/tcpwrappers/socket.c,v
retrieving revision 1.1.1.1
diff -u -u -r1.1.1.1 socket.c
--- socket.c 10 Mar 2003 16:05:21 -0000 1.1.1.1
+++ socket.c 11 Nov 2003 00:18:26 -0000
@@ -135,17 +135,31 @@
sizeof(host->name), 0, 0, NI_NAMEREQD | NI_NOFQDN) == 0)
{
struct addrinfo hints, *res, *ressave;
+ struct in_addr v4addr;
int ret_val;
memset(&hints, 0, sizeof(hints));
hints.ai_flags = AI_CANONNAME;
hints.ai_socktype = SOCK_STREAM;
- hints.ai_family = ADDR_FAM(tsa);
+ if (ADDR_FAM(tsa) == AF_INET)
+ {
+ hints.ai_family = AF_INET;
+ memcpy(&v4addr, &SAIN(tsa)->sin_addr, sizeof(struct in_addr));
+ }
+ else /* only AF_INET6 left, currently */
+ {
+ if (IN6_IS_ADDR_V4MAPPED(&tsa->sa_in6.sin6_addr)) {
+ IN6_V4MAPPED_TO_INADDR(&tsa->sa_in6.sin6_addr, &v4addr);
+ hints.ai_family = AF_INET;
+ }
+ else
+ hints.ai_family = AF_INET6;
+ }
/*
* And then a forward lookup on what was returned.
*/
- if( (ret_val = getaddrinfo(host->name, NULL, &hints, &res)) < 0 )
+ if( (ret_val = getaddrinfo(host->name, NULL, &hints, &res)) != 0 )
{
tcpd_warn("can't verify hostname: getaddrinfo(%s) failed - %s",
host->name, gai_strerror(ret_val));
@@ -185,11 +199,14 @@
*/
while (res)
{
- if (tsa->sa.sa_family != res->ai_family)
- continue;
+ if (res->ai_family != hints.ai_family) {
+ /* can this happen ??? */
+ res = res->ai_next;
+ continue;
+ }
if (res->ai_family == AF_INET)
{
- if (memcmp(&SAIN(tsa)->sin_addr,
+ if (memcmp(&v4addr,
&SAIN(res->ai_addr)->sin_addr,
sizeof(struct in_addr)) == 0)
{
Index: tcpd.c
===================================================================
RCS file: /cvs/opkg/vendor_stuff/tcpwrappers/tcpd.c,v
retrieving revision 1.1.1.1
diff -u -u -r1.1.1.1 tcpd.c
--- tcpd.c 5 Jan 2003 01:20:42 -0000 1.1.1.1
+++ tcpd.c 11 Nov 2003 00:18:26 -0000
@@ -44,11 +44,28 @@
int allow_severity = SEVERITY; /* run-time adjustable */
int deny_severity = LOG_WARNING; /* ditto */
+
+int goon = 0;
+
+static
+void wait_attach()
+{
+ while (goon == 0) sleep(1);
+}
+
+
int main(int argc, char *argv[])
{
struct request_info request;
char *path, path_buffer[MAXPATHNAMELEN];
+
+ /*
+ * debugging aid
+ wait_attach();
+ */
+
+
/* Attempt to prevent the creation of world-writable files. */
#ifdef DAEMON_UMASK
Index: tcpd.h
===================================================================
RCS file: /cvs/opkg/vendor_stuff/tcpwrappers/tcpd.h,v
retrieving revision 1.1.1.1
diff -u -u -r1.1.1.1 tcpd.h
--- tcpd.h 5 Jan 2003 01:15:59 -0000 1.1.1.1
+++ tcpd.h 11 Nov 2003 00:18:26 -0000
@@ -7,6 +7,8 @@
#ifndef TCP_WRAPPERS_HEADER
#define TCP_WRAPPERS_HEADER
+#include <sys/types.h>
+#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
Index: tli.c
===================================================================
RCS file: /cvs/opkg/vendor_stuff/tcpwrappers/tli.c,v
retrieving revision 1.1.1.1
diff -u -u -r1.1.1.1 tli.c
--- tli.c 2 Sep 2002 12:47:03 -0000 1.1.1.1
+++ tli.c 11 Nov 2003 00:18:26 -0000
@@ -77,13 +77,13 @@
tli_endpoints(request);
if ((request->config = tli_transport(request->fd)) != 0
&& STR_EQ(request->config->nc_protofmly, "inet")) {
- if (request->client->unit != 0) {
- client = *(struct sockaddr_in *) request->client->unit->addr.buf;
- request->client->sin = &client;
+ if (request->client.unit != 0) {
+ client = *(struct sockaddr_in *) request->client.unit->addr.buf;
+ request->client.au.sa_in = client;
}
- if (request->server->unit != 0) {
- server = *(struct sockaddr_in *) request->server->unit->addr.buf;
- request->server->sin = &server;
+ if (request->server.unit != 0) {
+ server = *(struct sockaddr_in *) request->server.unit->addr.buf;
+ request->server.au.sa_in = server;
}
tli_cleanup(request);
sock_methods(request);
@@ -100,10 +100,10 @@
{
if (request->config != 0)
freenetconfigent(request->config);
- if (request->client->unit != 0)
- t_free((char *) request->client->unit, T_UNITDATA);
- if (request->server->unit != 0)
- t_free((char *) request->server->unit, T_UNITDATA);
+ if (request->client.unit != 0)
+ t_free((char *) request->client.unit, T_UNITDATA);
+ if (request->server.unit != 0)
+ t_free((char *) request->server.unit, T_UNITDATA);
}
/* tli_endpoints - determine TLI client and server endpoint information */
@@ -140,7 +140,7 @@
return;
}
}
- request->client->unit = client;
+ request->client.unit = client;
/*
* Look up the server endpoint address. This can be used for filtering on
@@ -156,7 +156,7 @@
t_free((void *) server, T_UNITDATA);
return;
}
- request->server->unit = server;
+ request->server.unit = server;
}
/* tli_transport - find out TLI transport type */
openssh.tar
Description: Unix tar archive
