From owner-freebsd-stable@FreeBSD.ORG Tue May 31 16:00:50 2005 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1771F16A41C for ; Tue, 31 May 2005 16:00:50 +0000 (GMT) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id A494C43D48 for ; Tue, 31 May 2005 16:00:49 +0000 (GMT) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.13.3/8.13.3) with ESMTP id j4VG0kp6007649 for ; Tue, 31 May 2005 09:00:46 -0700 (PDT) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.13.3/8.13.1/Submit) id j4VG0kj1007648 for freebsd-stable@freebsd.org; Tue, 31 May 2005 09:00:46 -0700 (PDT) (envelope-from david) Date: Tue, 31 May 2005 09:00:46 -0700 From: David Wolfskill To: freebsd-stable@freebsd.org Message-ID: <20050531160046.GP800@bunrab.catwhisker.org> Mail-Followup-To: David Wolfskill , freebsd-stable@freebsd.org References: <200505311529.j4VFTu9Q024198@lurza.secnetix.de> <44k6lfjsr2.fsf@be-well.ilk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44k6lfjsr2.fsf@be-well.ilk.org> User-Agent: Mutt/1.4.2.1i Subject: Re: IP Firewalling by DNS name X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 16:00:50 -0000 On Tue, May 31, 2005 at 11:54:25AM -0400, Lowell Gilbert wrote: > Oliver Fromme writes: > > > Ivan Voras wrote: > > > > As I understand it, sshd actually accepts connections > > > prior to checking hosts.allow? > > > > Yes, the connection is accepted first, because there is > > no information available about it before it is accepted. > > But if the check fails, the connection will be closed > > immediately. > > Well, that's not necessarily the best way to explain it. When you're > working with TCP wrappers, you're running out of inetd(8), so there > isn't really any sshd at all until the wrappers have decided to allow > the connection. Are you *sure* about that? Ref: g1-18(4.11-S)[2] ldd `which sshd` /usr/sbin/sshd: libopie.so.2 => /usr/lib/libopie.so.2 (0x28089000) libmd.so.2 => /usr/lib/libmd.so.2 (0x28092000) libssh.so.2 => /usr/lib/libssh.so.2 (0x2809b000) libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x280ca000) libcrypto.so.3 => /usr/lib/libcrypto.so.3 (0x280e3000) libutil.so.3 => /usr/lib/libutil.so.3 (0x281da000) libz.so.2 => /usr/lib/libz.so.2 (0x281e3000) libwrap.so.3 => /usr/lib/libwrap.so.3 (0x281f0000) libpam.so.1 => /usr/lib/libpam.so.1 (0x281f8000) libc.so.4 => /usr/lib/libc.so.4 (0x28202000) g1-18(4.11-S)[3] Note "libwrap.so.3" in there.... Peace, david -- David H. Wolfskill david@catwhisker.org Any given sequence of letters is a misspelling of a great many English words. See http://www.catwhisker.org/~david/publickey.gpg for public key.