Dear alphists,
I have just learned (thanks to Jay Leafey) that it is
better to start ssh at boot time using /sbin/init.d/S34sshd rather than
let inetd to do the job.
Given the nature of ssh, I would be inclined to comment out the line
in inetd.conf. Using the inetd method has some shortcomings, particularly
the long start-up time. sshd has to do a bit of cryptographic
housekeeping at start-up that can cause an unpleasant delay for
incoming connections.
But now I have a problem related to tcp_wrapper (which I do use) and how
to let sshd use /etc/hosts.allow and /etc/hosts.deny
I know I could place the allowed and denied host names in
/etc/ssh2/sshd2_config, but I would prefere to use the usual tcp_wrapper
hosts.allow and hosts.deny files to have a single place where store such
kind of info.
from the man pages of sshd I read as follows:
SSH WITH TCP WRAPPERS
When the sshd2 daemon compiles with TCP wrapper libraries, the hosts.allow
and hosts.deny files control who can connect to ports forwarded by the
sshd2 daemon.
The names in the hosts.allow and hosts.deny files are sshd2, sshdfwd-
<portname>, and sshdfwd-X11 for forwarded ports on which the Secure Shell
client or server is listening.
If a port has a defined name, you must use it.
form the man page of sshd2_config I read:
AllowHosts
Follows any number of host name patterns, separated by commas. If
specified, log in is allowed only if a host name matches one of the
patterns. Patterns are matched using the egrep syntax (see sshre-
gex(5)), or the syntax specified in the metaconfiguration section of
the configuration file.
If you want the pattern to match the host's IP address (ignoring the
canonical host name), prefix your pattern with \i. You can also use
subnet masks (e.g. , 127.0.0.0/8) by prefixing the pattern with \m.
DNS is used to map the client's host name into a canonical host name.
If the name cannot be mapped, the IP address is used as the host name.
--> By default, all hosts are allowed to connect. The sshd2 daemon
--> also can be configured to use tcp_wrappers using the
--> with-libwrap compile-time configuration option.
BUT I checked that "SSH Secure Shell Tru64 UNIX 3.2.0" has not been
compiled with tcp_wrapper support.
So my questions are:
1) Is it possible to have from HPQ ssh already tcp_wrapper-enabled ?
2) where can I get the sources to compile ssh? Of course I'd like to
compile the best sources for our Tru64 machines (like SSH Secure
Shell Tru64 UNIX 3.2.0) and not just anything available on the
internet!
Thank you very much from Italy,
Emanuele
--
$$$ Emanuele Lombardi
$$$ mail: ENEA CLIM Casaccia
$$$ I-00060 S.M. di Galeria (RM) ITALY
$$$ mailto:emanuele.lombardi_at_casaccia.enea.it
$$$ tel +39 0630483366
$$$ fax +39 0630484264 |||
$$$ \|/ ;_;
$$$ What does a process need | /"\
$$$ to become a daemon ? | \v/
$$$ | |
$$$ - a fork o---/!\---
$$$ | |_|
$$$ | _/ \_
$$$* Contrary to popular belief, UNIX is user friendly.
$$$ It's just very particular about who it makes friends with.
$$$* Computers are not intelligent, but they think they are.
$$$* True programmers never die, they just branch to an odd address
$$$* THIS TRANSMISSION WAS MADE POSSIBLE BY 100% RECYCLED ELECTRONS
Received on Thu Mar 13 2003 - 17:07:34 NZDT