[nycbug-talk] OpenSSH and hosts.allow/hosts.deny
okan at demirmen.com
Sat Nov 6 21:14:47 EST 2004
On Sat 2004.11.06 at 19:24 -0500, G. Rosamond wrote:
> A few weeks ago, Chris asked it you could explicitly block or allow by
> ip for OpenSSH.
> I answered blindly "yes," even though SSH is not governed by inetd.conf
> and therefore is not ruled by /etc/hosts.allow or /etc/hosts.deny. But
> I knew it could be, but did not remember.
> I just checked the ORA book on SSH, and found the following on page 354:
> ...sshd is usually not invoked by inetd, ...the SSH server must be
> compiled with the flag --with-libwrap to enable internal support for
> TCP-wrappers. sshd then invokes TCP-wrapper library functions to do
> explicit access-control checks according to the rules in
> /etc/hosts.allow and /etc/hosts.deny. So in a sense, the term
> "wrapper" is misleading since sshd is modified, not wrapped, to support
> The page then goes on to explain the hosts.allow and hosts.deny files,
> which probably don't require much explanation to you Chris.
> Anyway, no one else had followed up with a more comprehensive answer to
> Chris, and it sat in the back of my mind for a few weeks, until I'm
> sitting on Metro North with my iBook and the ORA SSH book.
I don't remember the original post, nor the OS OpenSSH was used on,
but just use ldd(1) or objdump(1) to see if your sshd is compiled
with libwrap. I only know that OpenBSD has libwrap in by default.
Looks like my hosting company who uses "FreeBSD 4.8-STABLE" doesn't
have libwrap in, but it could be that pair pulls it out or FreeBSD
doesn't by default. Anyway, easy check for anyone who cares ;)
My .02 cents for now ;)
> % NYC*BUG talk mailing list
> %Be sure to check out our Jobs and NYCBUG-announce lists
> %We meet the first Wednesday of the month
Okan Demirmen <okan at demirmen.com>
PGP-Fingerprint: 226D B4AE 78A9 7F4E CD2B 1B44 C281 AF18 B367 0934
More information about the talk