I would bet you that your hosts.allow is actually the culprit. I have
seen time and time again that people are not aware that the
hosts.allow/deny file hast to have the name of the service as it is
called. If you are calling /usr/local/sbin/sshd2 in a startup script,
then you need to have the appropriate line in hosts.allow similar to the
one below (I have process options turned on in my tcpwrappers so I can
have deny and allow lines in the same file).
sshd2: whatever.domain.com : allow
sshd2: evil.domain.net : deny
If you are calling it as /usr/local/sbin/sshd (or any other name) you need
to make sure you put it in your hosts.allow properly.
like
sshd: whatever.domain.com : allow
The first column is only matched if the process and the service name match
up properly. So if you somehow changed its name to in.sshd or something
like that, then name it appropriately.
The next thing I would do is verify that the /etc/ssh2/sshd2_config has
the right syslog service name so that you can see the logs of what it is
doing.
You might want to do a strings on the binary and see if you happen to find
lines like the following that I believe come from the tcp wrappers library
and are not present in the sshd2 unless compiled properly.
/etc/hosts.allow
/etc/hosts.deny
missing newline or line too long
missing ":" separator
cannot open %s: %m
bad net/mask expression: %s/%s
user
group
umask
linger
keepalive
spawn
twist
rfc931
setenv
nice
severity
allow
deny
banners
Hope you find it is something simple over in hosts.allow versus having to
debug the daemon after doing compile-time tweaks.
Scott
On Tue, 12 Jun 2001, Manager Account wrote:
> I *just* (ie: defaults config files) installed ssh-2.4.0 on a SPARC running
> Solaris 7. The system also has PortSentry and tcp_wrappers-7.6 (ssh was
> configured with "--with-libwrap"). Everything works with sshd2 running as a
> daemon except hosts are not being properly denied (they are with telnet).
>
> Are there any configuration changes that need to be done?
>
> Is there any way to check if SSH is using libwrap?
>
> Thanks,
> ~ Jared Warren
>
>
