SUMMARY: SSH Secure Shell Tru64 UNIX 3.2.0 and TCP_WRAPPERS

From: <emanuele.lombardi_at_casaccia.enea.it>
Date: Fri, 14 Mar 2003 09:09:59 +0100 (CET)

Dear friends,
the definitive answers come from HP:

================================= Paul Moore (HP):
1) No, tcp_wrappers are not currently supported nor is there plan to
  support it in the future. We recommend customers to use the capabilities built in to
  SSH itself, i.e. the AllowHosts and DenyHosts options that you
  mention.
2) You can get sources directly from SSH and there is the opensource
  implementation, OpenSSH. HP does not distribute source code for SSH.
3) We currently don't support using SSH with tcp_wrappers or running
  from init.d. I recommend you run SSH from the supplied init script at startup.

================================= Matt Anderson (HP):
1) I'm sorry, but at this point we do not support TCP_WRAPPERS, mainly
because of the included support for per-host and per-subnet blocking or
allowing. Sorry.
2) The sources we use are from ssh.com You should be able to get
access to their source from the homepage. The value-adds that we did
were some cluster awareness and the secure rutils. If you compile
your own with TCP_WRAPPER support you won't have those features.



Many other alphists suggest to get sources from openssh and compile them
with tcp_wrapper support.
Thank you
        Bob Vickers
        Darryl Cook
        Carl Riches
        Warren Sturm
        Olle Eriksson
        Nikola Milutinovic


I received two more mails related to my previous ask for help
        inetd[xxxxxxx]: ssh/tcp: bind: Address already in use
and they are both intersting:

================================= Sloane, Robert Raymond:
> I have to say that I run sshd (home compiled) from several
> years during
> which I alway had /sbin/init.d/sshd run at boot time
> AND an ssh entry in /etc/inetd.conf and I never had any error of the
> kind "ssh/tcp: bind: Address already in use"

It depends on what order you start things. If the daemon sshd gets
started before inetd then it will have port 22 in use and inetd can't
bind to it, causing the error message you saw. If you start inetd
before sshd then inetd will work OK and the sshd daemon won't be able
to bind the port and will probably just exit. There is no reason to
do both, since only one program can listen for incoming connections
at once.

================================= Jay Leafey:
IIRC, you either run sshd as a daemon using the /sbin/init.d file OR you
run it via inetd. Your message seems to indicate you are doing both.
The message you are receiving indicates that inetd has detected another
process allocating the ssh port when it tries to grab it.

Given the nature of ssh, I would be inclined to comment out the line in
inetd.conf. Using the inetd method has some shortcomings, particularly
the long start-up time. sshd has to do a bit of cryptographic
housekeeping at start-up that can cause an unpleasant delay for incoming
connections.

As far as ip address restrictions go, if you are building from sources
you can configure ssh with tcp-wrappers support and use entries in
hosts.allow and hosts.deny to control access. Alternatively, you can
set up address restrictions in the sshd.conf file. See the man pages
for the precise syntax.




So at the end I thank you all !
Long life to our list,
Ciao from Italy,

Emanuele

-- 
$$$ Emanuele Lombardi
$$$ mail:  ENEA  CLIM  Casaccia
$$$        I-00060 S.M. di Galeria (RM)  ITALY
$$$ mailto:emanuele.lombardi_at_casaccia.enea.it
$$$ tel	+39 0630483366 
$$$ fax	+39 0630484264             |||
$$$                                \|/  ;_;
$$$ What does a process need        |   /"\
$$$ to become a daemon ?            |   \v/
$$$                                 |    | 
$$$ - a fork                        o---/!\---
$$$                                 |   |_|
$$$                                 |  _/ \_
$$$* Contrary to popular belief, UNIX is user friendly.
$$$  It's just very particular about who it makes friends with.
$$$* Computers are not intelligent, but they think they are. 
$$$* True programmers never die, they just branch to an odd address
$$$* THIS TRANSMISSION WAS MADE POSSIBLE BY 100% RECYCLED ELECTRONS
Received on Fri Mar 14 2003 - 08:11:13 NZDT

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:44 NZDT