openssh-portable and tcpwrappers broken

From: mike tancsa <mike_at_sentex.net>
Date: Thu, 25 Jul 2024 17:27:19 UTC
I opened a PR (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280440) 
but it seems I am no longer able to get the spawn command to work in the 
latest openssh-portable. Allow and Deny seem to work, but the line

sshd : ALL  : spawn /usr/local/bin/geo-check-mmdb.sh %a :  ALLOW

is ignored. Its almost like its not able to fork the process. Leading up 
to it, a working version showed the following in truss


ppoll({ 3/POLLIN 4/POLLIN },2,0x0,{ })           = 1 (0x1)
sigprocmask(SIG_SETMASK,{ },0x0)                 = 0 (0x0)
accept(4,{ AF_INET 192.1.124.126:48085 },0x311843efd870) = 5 (0x5)
getpeername(5,{ AF_INET 192.1.124.126:48085 },0x311843efd3cc) = 0 (0x0)
getsockname(5,{ AF_INET 64.7.148.55:24 },0x311843efd3cc) = 0 (0x0)
sigprocmask(SIG_BLOCK,0x0,{ })                   = 0 (0x0)
open("/etc/hosts.allow",O_RDONLY,0666)           = 6 (0x6)
fstat(6,{ mode=-rwxr-xr-x ,inode=80398,size=2796,blksize=32768 }) = 0 (0x0)
read(6,"\nsshd :  ALL : spawn  /usr/loca"...,32768) = 2796 (0xaec)
close(6)                                         = 0 (0x0)
fork()                                           = 4119 (0x1017)
wait4(-1,0x0,0x0,0x0)                            ERESTART
SIGNAL 20 (SIGCHLD) code=CLD_EXITED pid=4119 uid=0 status=0
sigprocmask(SIG_SETMASK,{ 
SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|SIGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUSR1|SIGUSR2 
},0x0) = 0 (0x0)

wait4(-1,{ EXITED,val=0 },WNOHANG,0x0)           = 4119 (0x1017)


and the non working version in the ports

getsockname(4,{ AF_INET 64.7.148.55:24 },0x82062f85c) = 0 (0x0)
sigprocmask(SIG_BLOCK,0x0,{ })                   = 0 (0x0)
open("/etc/hosts.allow",O_RDONLY,0666)           = 5 (0x5)
fstat(5,{ mode=-rwxr-xr-x ,inode=80398,size=2796,blksize=32768 }) = 0 (0x0)
read(5,"\nsshd :  ALL : spawn  /usr/loca"...,32768) = 2796 (0xaec)
getpid()                                         = 19884 (0x4dac)
issetugid()                                      = 0 (0x0)
open("/etc/resolv.conf",O_RDONLY|O_CLOEXEC,0666) = 6 (0x6)


it just skips right along.  Any ideas how to work around this ? I am 
just looking to add IPs to block based on geo location when sshd is 
invoked on this one server

     ---Mike