[nycbug-talk] OpenSSH and hosts.allow/hosts.deny
Sat Nov 6 19:24:04 EST 2004
A few weeks ago, Chris asked it you could explicitly block or allow by
ip for OpenSSH.
I answered blindly "yes," even though SSH is not governed by inetd.conf
and therefore is not ruled by /etc/hosts.allow or /etc/hosts.deny. But
I knew it could be, but did not remember.
I just checked the ORA book on SSH, and found the following on page 354:
...sshd is usually not invoked by inetd, ...the SSH server must be
compiled with the flag --with-libwrap to enable internal support for
TCP-wrappers. sshd then invokes TCP-wrapper library functions to do
explicit access-control checks according to the rules in
/etc/hosts.allow and /etc/hosts.deny. So in a sense, the term
"wrapper" is misleading since sshd is modified, not wrapped, to support
The page then goes on to explain the hosts.allow and hosts.deny files,
which probably don't require much explanation to you Chris.
Anyway, no one else had followed up with a more comprehensive answer to
Chris, and it sat in the back of my mind for a few weeks, until I'm
sitting on Metro North with my iBook and the ORA SSH book.
More information about the talk