[nycbug-talk] OpenSSH and hosts.allow/hosts.deny

G. Rosamond george
Sat Nov 6 19:24:04 EST 2004

A few weeks ago, Chris asked it you could explicitly block or allow by 
ip for OpenSSH.

I answered blindly "yes," even though SSH is not governed by inetd.conf 
and therefore is not ruled by /etc/hosts.allow or /etc/hosts.deny.  But 
I knew it could be, but did not remember.

I just checked the ORA book on SSH, and found the following on page 354:


...sshd is usually not invoked by inetd, ...the SSH server must be 
compiled with the flag --with-libwrap to enable internal support for 
TCP-wrappers.  sshd then invokes TCP-wrapper library functions to do 
explicit access-control checks according to the rules in 
/etc/hosts.allow and /etc/hosts.deny.  So in a sense, the term 
"wrapper" is misleading since sshd is modified, not wrapped, to support 


The page then goes on to explain the hosts.allow and hosts.deny files, 
which probably don't require much explanation to you Chris.

Anyway, no one else had followed up with a more comprehensive answer to 
Chris, and it sat in the back of my mind for a few weeks, until I'm 
sitting on Metro North with my iBook and the ORA SSH book.


More information about the talk mailing list