Date: Thu, 11 Apr 2002 14:36:07 +0100 (BST) From: Jan Grant <Jan.Grant@bristol.ac.uk> To: Stephen Hoover <shooverfbn@442spot.com> Cc: freebsd-questions@freebsd.org Subject: RE: sshd & tcp wrappers - bad idea? Message-ID: <Pine.GSO.4.44.0204111429270.17335-100000@mail.ilrt.bris.ac.uk> In-Reply-To: <LKEGLDFEGPHGICLNAALGKEPCCFAA.shooverfbn@442spot.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[Hope you don't mind, but I'm sending this to -questions too for general info] On Thu, 11 Apr 2002, Stephen Hoover wrote: > Jan - thanks for this, good info. If you don't mind - I'm try to understand > the whole picture. I took that quote from the default hosts.allow file. It > was my understanding that that file only controlled tcp wrapped programs? > However, per default install, my sshd starts up as a stand alone daemon - it > is not lauched from inetd, but when I started playing with the settings in > hosts.allow, I noticed I had to setup specific allow/deny rules for ssh > access as well - can you explain how the hosts.allow file fits in the big > picture? There are two ways of using tcp wrappers. One is to use a standalone "wrapper" program - either tcpd(8) or a tcp-wrapper-enabled inetd, like freebsd has. Basically here, the real server doesn't understand the tcp wrapper limitations - the wrapping is performed by another program before handing over the connection to the server in question. The second way to use tcp wrappers is to link the tcpwrapper (libwrap) library against your standalone daemon, and make the calls yourself. This means writing code that understands tcpwrappers, but this is what's been done with FreeBSD's stock sshd: # ldd /usr/sbin/sshd /usr/sbin/sshd: [ ... ] libwrap.so.3 => /usr/lib/libwrap.so.3 (0x28191000) [ ... ] The other reason that one might consider not bothering with tcp wrappers and sshd is that the former provides a very crude mechanism for limiting connections; sshd is somewhat more sophisticated in what it does. The comment in /etc/hosts.allow probably refers to the practice of launching sshd from /etc/inetd.conf, which has the problems I outlined earlier. jan -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 RFC822 jan.grant@bris.ac.uk Goedel would be proud - I'm both inconsistent _and_ incomplete. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.44.0204111429270.17335-100000>