From nobody Fri Oct 07 01:39:45 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Mk9wL3Cf8z4f0kk; Fri, 7 Oct 2022 01:39:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Mk9wL18B3z488s; Fri, 7 Oct 2022 01:39:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665106786; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=gqYmG8MUYlMw0lAkLWPKFA0uDsSkxxyWfu1Y/vDb8Zk=; b=Zi1aF28UxEN8h/jQwkl5kHLzL91bSZA5Pz9VlZ9qi3KPTBgA3HyHSojEReCFgPxezMnQiG qng2nI35ltSTAQSMWfFIL4zB+P2lyyyApVfKgicElSamA3Aws4A2Ku5BUlCxkmaMLBxy2M k6SEk+d69TnGa3vwH+L05F79DHC4yx3uHRDljv0/iA0OK9/JgEujSHUsA3ZjpbAsJ17v6I Iy1TGkp+nz8l0AyDVKFypw7x4zJcnwmIZqqlIbZSnTbzh50MPmzMWNB0lLed7BRqH1A0VA JlK/dKL878zKR7+q8oOm/L3J86/6UGALxKUmKvVYW5HOcNWc5IALLEakmjtEGQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Mk9wK6N2rzRN3; Fri, 7 Oct 2022 01:39:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2971djQm016313; Fri, 7 Oct 2022 01:39:45 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2971djgI016312; Fri, 7 Oct 2022 01:39:45 GMT (envelope-from git) Date: Fri, 7 Oct 2022 01:39:45 GMT Message-Id: <202210070139.2971djgI016312@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 46aaea6c19ef - stable/13 - sshd: update the libwrap patch to drop connections early List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 46aaea6c19ef1f377936eede16b4bdb626421dd6 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665106786; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=gqYmG8MUYlMw0lAkLWPKFA0uDsSkxxyWfu1Y/vDb8Zk=; b=J9qp7k6uPaRUq6CGEvegb9bl4dYmSlvuuF3cm7aRAOQx0Gy/rW/NEGoD5Kqgn0CVFFgb1s ZYkOvalXo6Fm7hPxMCnHbiQArqilVPtQ6IssYxSSK3b4aIaUgXKd8mlJkDq2RdjZE5dEGt d7LuTL0y6ddpDfXtRL3BGHz36qF1SCrZN/EcKMBkuZ1M3f5G3dT0Zw5k+Yf2FB1uxQtlLn gnsx0zSWZcVdoh9pjVmGHNbLg2two2m9UiPc+70hneCPJK0x0LpFKX0rEguG88kWWJYOoY RK3Xjhm4OO3Qg0lj/lua1W29Uqi+f49Kl7VwlQNLPo4fUAtPaCXO1+6ZQV/NaA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1665106786; a=rsa-sha256; cv=none; b=bJqJZa8zjMl29mqRclB8dUE3tZ0cH25tSfFf/2vnpRj4PJTMs7owVe1nE/2CVzIWGDG+1i M6LI9YSzUiEoPi7tlEEnzy0ouOx8bNFlzgxPSh2cJYsKETSX2H3LxBNGhz0pH80Bmz6TYN 3lE2PBPJREmYe/Xk8tZFXRPisI1kmEOyRNAVB6Q5E8k42mmTS/tkSGiXAY7DBgNfYGGgJ5 0zU9iReWt2WLhgghzMuyGeiCyldqMa9Cd9r5T3w4vGF2XQUp92j59e2KVeC0yMEGLN6KI6 hT1jLw4IWE8w0IEEvKgmaV56/tpbHL9YS/FoHxRaBJC92VsFVYq3LOZeuboM7w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=46aaea6c19ef1f377936eede16b4bdb626421dd6 commit 46aaea6c19ef1f377936eede16b4bdb626421dd6 Author: Gleb Smirnoff AuthorDate: 2022-01-03 02:32:30 +0000 Commit: Ed Maste CommitDate: 2022-10-07 01:39:00 +0000 sshd: update the libwrap patch to drop connections early OpenSSH has dropped libwrap support in OpenSSH 6.7p in 2014 (f2719b7c in github.com/openssh/openssh-portable) and we maintain the patch ourselves since 2016 (a0ee8cc636cd). Over the years, the libwrap support has deteriotated and probably that was reason for removal upstream. Original idea of libwrap was to drop illegitimate connection as soon as possible, but over the years the code was pushed further down and down and ended in the forked client connection handler. The negative effects of late dropping is increasing attack surface for hosts that are to be dropped anyway. Apart from hypothetical future vulnerabilities in connection handling, today a malicious host listed in /etc/hosts.allow still can trigger sshd to enter connection throttling mode, which is enabled by default (see MaxStartups in sshd_config(5)), effectively casting DoS attack. Note that on OpenBSD this attack isn't possible, since they enable MaxStartups together with UseBlacklist. A only negative effect from early drop, that I can imagine, is that now main listener parses file in /etc, and if our root filesystems goes bad, it would get stuck. But unlikely you'd be able to login in that case anyway. Implementation details: - For brevity we reuse the same struct request_info. This isn't a documented feature of libwrap, but code review, viewing data in a debugger and real life testing shows that if we clear RQ_CLIENT_NAME and RQ_CLIENT_ADDR every time, it works as intended. - We set SO_LINGER on the socket to force immediate connection reset. - We log message exactly as libwrap's refuse() would do. Differential revision: https://reviews.freebsd.org/D33044 (cherry picked from commit ca573c9a1779bdeeea6d0a6e948676555977737e) --- crypto/openssh/sshd.c | 60 ++++++++++++++++++++++++++++++++++----------------- 1 file changed, 40 insertions(+), 20 deletions(-) diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c index d3da2fa10969..50c8eabb18bb 100644 --- a/crypto/openssh/sshd.c +++ b/crypto/openssh/sshd.c @@ -143,8 +143,8 @@ #ifdef LIBWRAP #include #include -int allow_severity; -int deny_severity; +extern int allow_severity; +extern int deny_severity; #endif /* LIBWRAP */ /* Re-exec fds */ @@ -1165,6 +1165,11 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) pid_t pid; u_char rnd[256]; sigset_t nsigset, osigset; +#ifdef LIBWRAP + struct request_info req; + + request_init(&req, RQ_DAEMON, __progname, 0); +#endif /* pipes connected to unauthenticated child sshd processes */ startup_pipes = xcalloc(options.max_startups, sizeof(int)); @@ -1294,6 +1299,31 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) usleep(100 * 1000); continue; } +#ifdef LIBWRAP + /* Check whether logins are denied from this host. */ + request_set(&req, RQ_FILE, *newsock, + RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0); + sock_host(&req); + if (!hosts_access(&req)) { + const struct linger l = { .l_onoff = 1, + .l_linger = 0 }; + + (void )setsockopt(*newsock, SOL_SOCKET, + SO_LINGER, &l, sizeof(l)); + (void )close(*newsock); + /* + * Mimic message from libwrap's refuse() + * exactly. sshguard, and supposedly lots + * of custom made scripts rely on it. + */ + syslog(deny_severity, + "refused connect from %s (%s)", + eval_client(&req), + eval_hostaddr(req.client)); + debug("Connection refused by tcp wrapper"); + continue; + } +#endif /* LIBWRAP */ if (unset_nonblock(*newsock) == -1 || pipe(startup_p) == -1) { close(*newsock); @@ -2065,6 +2095,14 @@ main(int ac, char **av) /* Reinitialize the log (because of the fork above). */ log_init(__progname, options.log_level, options.log_facility, log_stderr); +#ifdef LIBWRAP + /* + * We log refusals ourselves. However, libwrap will report + * syntax errors in hosts.allow via syslog(3). + */ + allow_severity = options.log_facility|LOG_INFO; + deny_severity = options.log_facility|LOG_WARNING; +#endif /* Avoid killing the process in high-pressure swapping environments. */ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0) debug("madvise(): %.200s", strerror(errno)); @@ -2236,24 +2274,6 @@ main(int ac, char **av) #ifdef SSH_AUDIT_EVENTS audit_connection_from(remote_ip, remote_port); #endif -#ifdef LIBWRAP - allow_severity = options.log_facility|LOG_INFO; - deny_severity = options.log_facility|LOG_WARNING; - /* Check whether logins are denied from this host. */ - if (ssh_packet_connection_is_on_socket(ssh)) { - struct request_info req; - - request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); - fromhost(&req); - - if (!hosts_access(&req)) { - debug("Connection refused by tcp wrapper"); - refuse(&req); - /* NOTREACHED */ - fatal("libwrap refuse returns"); - } - } -#endif /* LIBWRAP */ rdomain = ssh_packet_rdomain_in(ssh);