From owner-freebsd-questions  Thu Apr 11  6:37: 4 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60])
	by hub.freebsd.org (Postfix) with ESMTP id B8D4B37B400
	for <freebsd-questions@freebsd.org>; Thu, 11 Apr 2002 06:36:51 -0700 (PDT)
Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV 
          with ESMTP; Thu, 11 Apr 2002 14:36:40 +0100
Received: from cmjg (helo=localhost)	by mail.ilrt.bris.ac.uk 
          with local-esmtp (Exim 3.16 #1)	id 16vekB-0003vK-00;
          Thu, 11 Apr 2002 14:36:07 +0100
Date: Thu, 11 Apr 2002 14:36:07 +0100 (BST)
From: Jan Grant <Jan.Grant@bristol.ac.uk>
X-X-Sender: cmjg@mail.ilrt.bris.ac.uk
To: Stephen Hoover <shooverfbn@442spot.com>
Cc: freebsd-questions@freebsd.org
Subject: RE: sshd & tcp wrappers - bad idea?
In-Reply-To: <LKEGLDFEGPHGICLNAALGKEPCCFAA.shooverfbn@442spot.com>
Message-ID: <Pine.GSO.4.44.0204111429270.17335-100000@mail.ilrt.bris.ac.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

[Hope you don't mind, but I'm sending this to -questions too for general
info]

On Thu, 11 Apr 2002, Stephen Hoover wrote:

> Jan - thanks for this, good info. If you don't mind - I'm try to understand
> the whole picture. I took that quote from the default hosts.allow file. It
> was my understanding that that file only controlled tcp wrapped programs?
> However, per default install, my sshd starts up as a stand alone daemon - it
> is not lauched from inetd, but when I started playing with the settings in
> hosts.allow, I noticed I had to setup specific allow/deny rules for ssh
> access as well - can you explain how the hosts.allow file fits in the big
> picture?

There are two ways of using tcp wrappers. One is to use a standalone
"wrapper" program - either tcpd(8) or a tcp-wrapper-enabled inetd, like
freebsd has. Basically here, the real server doesn't understand the tcp
wrapper limitations - the wrapping is performed by another program
before handing over the connection to the server in question.

The second way to use tcp wrappers is to link the tcpwrapper (libwrap)
library against your standalone daemon, and make the calls yourself.
This means writing code that understands tcpwrappers, but this is what's
been done with FreeBSD's stock sshd:

	# ldd /usr/sbin/sshd
	/usr/sbin/sshd:
		[ ... ]
	        libwrap.so.3 => /usr/lib/libwrap.so.3 (0x28191000)
		[ ... ]

The other reason that one might consider not bothering with tcp wrappers
and sshd is that the former provides a very crude mechanism for limiting
connections; sshd is somewhat more sophisticated in what it does.

The comment in /etc/hosts.allow probably refers to the practice of
launching sshd from /etc/inetd.conf, which has the problems I outlined
earlier.

jan

-- 
jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
Tel +44(0)117 9287088 Fax +44 (0)117 9287112 RFC822 jan.grant@bris.ac.uk
Goedel would be proud - I'm both inconsistent _and_ incomplete.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message