[nycbug-talk] OpenSSH and hosts.allow/hosts.deny

Okan Demirmen okan
Sat Nov 6 21:14:47 EST 2004

On Sat 2004.11.06 at 19:24 -0500, G. Rosamond wrote:
> A few weeks ago, Chris asked it you could explicitly block or allow by 
> ip for OpenSSH.
> I answered blindly "yes," even though SSH is not governed by inetd.conf 
> and therefore is not ruled by /etc/hosts.allow or /etc/hosts.deny.  But 
> I knew it could be, but did not remember.
> I just checked the ORA book on SSH, and found the following on page 354:
> <quote>
> ...sshd is usually not invoked by inetd, ...the SSH server must be 
> compiled with the flag --with-libwrap to enable internal support for 
> TCP-wrappers.  sshd then invokes TCP-wrapper library functions to do 
> explicit access-control checks according to the rules in 
> /etc/hosts.allow and /etc/hosts.deny.  So in a sense, the term 
> "wrapper" is misleading since sshd is modified, not wrapped, to support 
> TCP-wrappers.
>  </quote>
> The page then goes on to explain the hosts.allow and hosts.deny files, 
> which probably don't require much explanation to you Chris.
> Anyway, no one else had followed up with a more comprehensive answer to 
> Chris, and it sat in the back of my mind for a few weeks, until I'm 
> sitting on Metro North with my iBook and the ORA SSH book.

I don't remember the original post, nor the OS OpenSSH was used on,
but just use ldd(1) or objdump(1) to see if your sshd is compiled
with libwrap. I only know that OpenBSD has libwrap in by default.
Looks like my hosting company who uses "FreeBSD 4.8-STABLE" doesn't
have libwrap in, but it could be that pair pulls it out or FreeBSD
doesn't by default. Anyway, easy check for anyone who cares ;)

My .02 cents for now ;)


> g
> _______________________________________________
> % NYC*BUG talk mailing list
> http://lists.nycbug.org/mailman/listinfo/talk
> %Be sure to check out our Jobs and NYCBUG-announce lists
> %We meet the first Wednesday of the month

Okan Demirmen <okan at demirmen.com>
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB3670934
PGP-Fingerprint: 226D B4AE 78A9 7F4E CD2B 1B44 C281 AF18 B367 0934

More information about the talk mailing list