On Sat, 16 Oct 1999, Phil Hurvitz wrote:
> I'm interested in using ssh with tcp wrappers. I've successfully compiled
> tcp wrappers and configured, confirmed that services like finger and
> telnet are using the wrappers. I recompiled ssh1 & 2, verified ssh1
> compatibility, but I'm now stumped.
>
> My question is: do I then kill the normally running sshd process
> (originally set to start with /etc/init.d), and run sshd as an inetd
> process?
Yes, if you're going to run sshd out of inetd using tcp_wrappers, you'll
want to remove the script (or change it's name if you might use it later)
from /etc/init.d that starts it up at boot. (You can, of course, compile
ssh with libwrap and use ssh's own Allow/Deny access files and continue to
run it standalone from /etc/init.d.)
>
> Here's my line from inetd.conf:
>
> ssh stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/sshd
Ahhh...from the sshd1 man page (or sshd2 man page, which has a less
verbose explanation):
...blah, blah, blah...
-i Specifies that sshd is being run from inetd. Sshd is
normally not run from inetd because it needs to gen-
erate the server key before it can respond to the
client, and this may take tens of seconds. Clients
would have to wait too long if the key was regenerated
every time. However, with small key sizes (e.g. 512)
using sshd from inetd may be feasible.
So, add the -i switch to sshd line in inetd.conf and you should be fine:
ssh stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/sshd -i
Note that running it from inetd.conf, as pointed out above, is slower due
to key generation for each request. We run it this way to incorporate it
into tcp_wrappers. Depending on the speed of your machine, the wait time
is anywhere from 5-15 seconds. Noticeably slower than telnet/rlogin, but
our users have not complained. Running it standalone is faster, and you
can control access separately with libwrap compiled in.
> and my test hosts.allow file (call my machine "myhost")
>
> ssh: myhost
>
> But I get this:
>
> server# ./tcpdchk
> warning: /etc/hosts.allow, line 1: ssh: no such process name in
> /etc/inet/inetd.conf
>
The hosts.allow and hosts.deny files use a daemon: client syntax
structure (read the hosts.access.5 man page w/in tcp_wrappers src dir
using "nroff -man hosts.access.5 | more"; it's full of helpful info), so
your line should specify the daemon name - sshd...
sshd: myhost
> and
>
> myhost# ssh highlead
> FATAL: Connecting to highlead failed: Connection Refused
>
The above corrections should fix this. Also make sure you have the
client/port/data type listed in your /etc/services file, if necessary,
as in:
ssh (or ssh2 or ssh1) [your port number-default is 22]/tcp
Regards,
Chris
###############################################################
# Chris Vandersip #
# Computer Research Specialist/Dept. Sysadmin #
# Rm. 024, Dept. of Meteorology, Florida State University #
# [EMAIL PROTECTED] (850)644-2522 #
###############################################################
