[nycbug-talk] OpenSSH and hosts.allow/hosts.deny

[G. Rosamond]

A few weeks ago, Chris asked it you could explicitly block or allow by 
ip for OpenSSH.

I answered blindly "yes," even though SSH is not governed by inetd.conf 
and therefore is not ruled by /etc/hosts.allow or /etc/hosts.deny.  But 
I knew it could be, but did not remember.

I just checked the ORA book on SSH, and found the following on page 354:

<quote>

...sshd is usually not invoked by inetd, ...the SSH server must be 
compiled with the flag --with-libwrap to enable internal support for 
TCP-wrappers.  sshd then invokes TCP-wrapper library functions to do 
explicit access-control checks according to the rules in 
/etc/hosts.allow and /etc/hosts.deny.  So in a sense, the term 
"wrapper" is misleading since sshd is modified, not wrapped, to support 
TCP-wrappers.

  </quote>

The page then goes on to explain the hosts.allow and hosts.deny files, 
which probably don't require much explanation to you Chris.

Anyway, no one else had followed up with a more comprehensive answer to 
Chris, and it sat in the back of my mind for a few weeks, until I'm 
sitting on Metro North with my iBook and the ORA SSH book.

g