openssh-portable and tcpwrappers broken
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 25 Jul 2024 17:27:19 UTC
I opened a PR (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280440) but it seems I am no longer able to get the spawn command to work in the latest openssh-portable. Allow and Deny seem to work, but the line sshd : ALL : spawn /usr/local/bin/geo-check-mmdb.sh %a : ALLOW is ignored. Its almost like its not able to fork the process. Leading up to it, a working version showed the following in truss ppoll({ 3/POLLIN 4/POLLIN },2,0x0,{ }) = 1 (0x1) sigprocmask(SIG_SETMASK,{ },0x0) = 0 (0x0) accept(4,{ AF_INET 192.1.124.126:48085 },0x311843efd870) = 5 (0x5) getpeername(5,{ AF_INET 192.1.124.126:48085 },0x311843efd3cc) = 0 (0x0) getsockname(5,{ AF_INET 64.7.148.55:24 },0x311843efd3cc) = 0 (0x0) sigprocmask(SIG_BLOCK,0x0,{ }) = 0 (0x0) open("/etc/hosts.allow",O_RDONLY,0666) = 6 (0x6) fstat(6,{ mode=-rwxr-xr-x ,inode=80398,size=2796,blksize=32768 }) = 0 (0x0) read(6,"\nsshd : ALL : spawn /usr/loca"...,32768) = 2796 (0xaec) close(6) = 0 (0x0) fork() = 4119 (0x1017) wait4(-1,0x0,0x0,0x0) ERESTART SIGNAL 20 (SIGCHLD) code=CLD_EXITED pid=4119 uid=0 status=0 sigprocmask(SIG_SETMASK,{ SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|SIGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUSR1|SIGUSR2 },0x0) = 0 (0x0) wait4(-1,{ EXITED,val=0 },WNOHANG,0x0) = 4119 (0x1017) and the non working version in the ports getsockname(4,{ AF_INET 64.7.148.55:24 },0x82062f85c) = 0 (0x0) sigprocmask(SIG_BLOCK,0x0,{ }) = 0 (0x0) open("/etc/hosts.allow",O_RDONLY,0666) = 5 (0x5) fstat(5,{ mode=-rwxr-xr-x ,inode=80398,size=2796,blksize=32768 }) = 0 (0x0) read(5,"\nsshd : ALL : spawn /usr/loca"...,32768) = 2796 (0xaec) getpid() = 19884 (0x4dac) issetugid() = 0 (0x0) open("/etc/resolv.conf",O_RDONLY|O_CLOEXEC,0666) = 6 (0x6) it just skips right along. Any ideas how to work around this ? I am just looking to add IPs to block based on geo location when sshd is invoked on this one server ---Mike