From owner-freebsd-security@FreeBSD.ORG  Fri Sep 24 21:03:07 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5EF3D16A4CE
	for <freebsd-security@freebsd.org>;
	Fri, 24 Sep 2004 21:03:07 +0000 (GMT)
Received: from manual-override.net (manual-override.net [65.42.236.5])
	by mx1.FreeBSD.org (Postfix) with SMTP id D1DB943D41
	for <freebsd-security@freebsd.org>;
	Fri, 24 Sep 2004 21:03:06 +0000 (GMT)
	(envelope-from chris@manual-override.net)
Received: (qmail 77819 invoked from network); 24 Sep 2004 21:03:04 -0000
Received: from unknown (HELO manual-override.net) (127.0.0.1)
  by localhost.localline.com with SMTP; 24 Sep 2004 21:03:04 -0000
Received: from localhost (chris@localhost)i8OL34o7077815
	for <freebsd-security@freebsd.org>;
	Fri, 24 Sep 2004 16:03:04 -0500 (EST)
Date: Fri, 24 Sep 2004 16:03:04 -0500 (EST)
From: Chris Orr <chris@manual-override.net>
To: freebsd-security@freebsd.org
In-Reply-To: <415488AB.2060803@mrtux.co.uk>
Message-ID: <20040924160019.K77746@manual-override.net>
References: <20040923120103.5DD3116A517@hub.freebsd.org>
	<415488AB.2060803@mrtux.co.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: ssh security
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2004 21:03:07 -0000

When you build openssh, you need to be sure to add the --with-tcp-wrappers
argument when you run the configure script.

ex: ./configure --with-ssl-dir=../openssl --with-pam --with-tcp-wrappers

Hopefully this points you in the right direction.

-chris




On Fri, 24 Sep 2004, Terry wrote:

> Derek Ragona wrote:
>
>
> >> I tried to implement a similar scheme in my hosts.allow on a FreeBSD
> >> 5.2.1 server.  But when I try to test it from an IP outside my LAN, it
> >> still allows ssh logins.  I even put in a line in hosts.allow to
> >> explicitly deny the IP I was ssh'ing from, but it still let me in.
> >> The behavior  gives the appearance that TCP wrappers are not enabled,
> >> and thus the /etc/hosts.allow file is ignored.
> >>
> >> Is there something I need to do to enable the wrappers in sshd?  I saw
> >> that there is a compile option for the portable source from
> >> openssh.org, so I wonder if there is some compile option that needs to
> >> be enabled in make.conf?
> >>
> >> I have gone through the documentation for sshd_config, sshd,
> >> make.conf, etc. but am not finding anything to change.
> >>
> >>         -Derek
> >>
> >>