FS#16048 - [tcp_wrappers] sshd and tcp wrappers and ipv6

Attached to Project: Arch Linux
Opened by Michal Svoboda (pht) - Sunday, 06 September 2009, 10:21 GMT
Last edited by Tobias Powalowski (tpowa) - Sunday, 29 August 2010, 11:15 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Tobias Powalowski (tpowa)
Thomas Bächler (brain0)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 4
Private No

Details

Description:
Can not get through tcpwrappers to ssh daemon when using ipv6.

Additional info:
* package version(s)
tcp_wrappers 7.6-10
openssh 5.2p1-1

* config and/or log files etc.
AddressFamily any
ListenAddress ::
(possibly also ListenAddress 0.0.0.0 - does not change behavior)

hosts.allow:
sshd: [2001:1508:148a::666]

Steps to reproduce:
ssh host (over ipv6) gives in auth.log:
Sep 6 12:13:19 host sshd[3079]: refused connect from 0.0.0.0
(the 0.0.0.0 is totally weird)

when i put sshd: ALL to hosts.allow, i can get through and my address appears correctly in the log:
Sep 6 12:14:30 host sshd[3119]: Accepted password for user from 2001:1508:148a::666 port 55515 ssh2

This task depends upon

Closed by  Tobias Powalowski (tpowa)
Sunday, 29 August 2010, 11:15 GMT
Reason for closing:  Fixed
Additional comments about closing:  fixed 7.6-12
Comment by Tobias Powalowski (tpowa) - Sunday, 06 September 2009, 16:05 GMT
Just a guess i don't use ipv6 at all, do you need the brackets [] what happens if you just use:
sshd: 2001:1508:148a::666
Comment by Michal Svoboda (pht) - Sunday, 06 September 2009, 16:10 GMT
Does not work. According to the manual the brackets should be there. I think the key is in that weird '0.0.0.0' address. Maybe there is missing ipv6 support for tcpwrappers in Arch?
Comment by Michal Svoboda (pht) - Wednesday, 28 October 2009, 10:05 GMT
It looks like ipv6 support was not enabled at all (you have to pass -DINET6 to gcc). Even then there were some prototype mismatches. I fixed all that and did a quick check if the new library correctly accepts/rejects ipv4 and ipv6 clients. I attach a patch that should be applied against the whole pkgbuild dir before running 'pkgbuild'.

ATTENTION: I do not know the nature of the original ipv6 patch. As the whole functionality was DISABLED prior to my efforts, it is possible that the new ipv6 functionality creates security issues. I urge the package maintainer to cross check the original ipv6 patch against other distros.
Comment by Michal Svoboda (pht) - Saturday, 30 January 2010, 18:45 GMT
It's been a couple of months since I reported this. Is the package maintainer still alive?
Comment by Eärendil (earendil) - Friday, 19 March 2010, 21:53 GMT
  • Field changed: Percent Complete (100% → 0%)
I see the patch included in the package and I see it in the md5sum list.
But it is not activated apparently
Comment by Michal Svoboda (pht) - Sunday, 21 March 2010, 08:23 GMT
what about ditching tcp wrappers completely? there's nothing that they do that can't be done by either the firewall (iptables) or the application itself (sshd, xinetd, ...)
Comment by Greg Bur (Pizon) - Thursday, 25 March 2010, 12:20 GMT
Looks like a small tweak to the PKGBUILD solves the problem.
Comment by Michal Svoboda (pht) - Thursday, 25 March 2010, 12:30 GMT
I actually had that line in the original patch, must've been a failed merge on the maintainer's part or something.
Comment by Andrej Podzimek (andrej) - Friday, 25 June 2010, 18:32 GMT
Are there any news? tcp_wrappers still don't accept IPv6 addresses on ArchLinux...
Comment by Leonid Isaev (lisaev) - Sunday, 15 August 2010, 17:44 GMT
According to http://repos.archlinux.org/wsvn/packages/tcp_wrappers/repos/core-i686/PKGBUILD, the PKGBUILD still does not include the 11_inet6_fixes patch in the build() function... status?