sshd and tcpwrappers

Dagmar d'Surreal dagmar.wants at nospam.com
Wed Feb 4 00:51:48 PST 2004


On Wed, 2004-02-04 at 01:50, Jeremy Utley wrote:
> On Tue, 2004-02-03 at 23:16, P.R. wrote:
> > Hi
> > 
> > I want to know if sshd uses the tcpwrappers (hosts.allow etc)
> > functionality by default = when following the book.
> > 
> > There is a switch in the configure-script:  --with-tcp-wrappers.
> > I think it wouldnt be there if not needed, so I don't think sshd will
> > NOT utilize tcpd, unless I recompile it again.
> > 
> > Is this right or wrong?
> > 
> > I found this message from last July
> > 
> > http://archives.linuxfromscratch.org/mail-archives/blfs-support/2003-July/031854.html
> > 
> > and I think even more I have to recompile and reinstall sshd again :-/
> > 
> > I also think it should be at least mentioned with one short one sentence
> > in the book, because this is a basic feature.
> > 
> > Greetings
> > Peter
> 
> Personally, using tcp-wrappers with sshd is a BadThing (TM).  TCP
> wrappers works by wrapping the binary by the tcpd program in inetd - and
> sshd shouldn't EVER be run via inetd - I forget the details, but
> something about excessive key generation or something to that effect -
> you can definately find more information on the web about it.
> 
> Or, I suppose I could be completely misunderstanding how tcp-wrappers
> works, and might be way off base.

You're smarter than you think.  ;)  OpenSSH (like most sshd's) links in
libwrap.a directly at compile time, so it passes all socket connects
through that library using the service token (surprise) "sshd".  There's
actually a number of other things which link in libwrap.a like this. 
The tip-off is generally if the program even cares about tcp_wrappers at
compile time, then it's going to link in the library.

You're right about definitely not wanting to run sshd through an inet
superserver, tho.

For extra credit, people should check out the banners option to
tcp_wrappers.  It'll let you make the thing emit
"SSH-1.5-OpenSSH-2.7.2p3" (or whatever) to sockets that are denied
access.  It doesn't prevent anything much, but it does annoy the hell
out of script kiddies using nessus to figure out which of their l33t
scripts to use.  Since these connection rejections get logged, it does
encourage would-be invaders to be a little noisier than they typically
otherwise would.
-- 
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the blfs-support mailing list