Dear friends,
the definitive answers come from HP:
================================= Paul Moore (HP):
1) No, tcp_wrappers are not currently supported nor is there plan to
support it in the future. We recommend customers to use the capabilities built in to
SSH itself, i.e. the AllowHosts and DenyHosts options that you
mention.
2) You can get sources directly from SSH and there is the opensource
implementation, OpenSSH. HP does not distribute source code for SSH.
3) We currently don't support using SSH with tcp_wrappers or running
from init.d. I recommend you run SSH from the supplied init script at startup.
================================= Matt Anderson (HP):
1) I'm sorry, but at this point we do not support TCP_WRAPPERS, mainly
because of the included support for per-host and per-subnet blocking or
allowing. Sorry.
2) The sources we use are from ssh.com You should be able to get
access to their source from the homepage. The value-adds that we did
were some cluster awareness and the secure rutils. If you compile
your own with TCP_WRAPPER support you won't have those features.
Many other alphists suggest to get sources from openssh and compile them
with tcp_wrapper support.
Thank you
Bob Vickers
Darryl Cook
Carl Riches
Warren Sturm
Olle Eriksson
Nikola Milutinovic
I received two more mails related to my previous ask for help
inetd[xxxxxxx]: ssh/tcp: bind: Address already in use
and they are both intersting:
================================= Sloane, Robert Raymond:
> I have to say that I run sshd (home compiled) from several
> years during
> which I alway had /sbin/init.d/sshd run at boot time
> AND an ssh entry in /etc/inetd.conf and I never had any error of the
> kind "ssh/tcp: bind: Address already in use"
It depends on what order you start things. If the daemon sshd gets
started before inetd then it will have port 22 in use and inetd can't
bind to it, causing the error message you saw. If you start inetd
before sshd then inetd will work OK and the sshd daemon won't be able
to bind the port and will probably just exit. There is no reason to
do both, since only one program can listen for incoming connections
at once.
================================= Jay Leafey:
IIRC, you either run sshd as a daemon using the /sbin/init.d file OR you
run it via inetd. Your message seems to indicate you are doing both.
The message you are receiving indicates that inetd has detected another
process allocating the ssh port when it tries to grab it.
Given the nature of ssh, I would be inclined to comment out the line in
inetd.conf. Using the inetd method has some shortcomings, particularly
the long start-up time. sshd has to do a bit of cryptographic
housekeeping at start-up that can cause an unpleasant delay for incoming
connections.
As far as ip address restrictions go, if you are building from sources
you can configure ssh with tcp-wrappers support and use entries in
hosts.allow and hosts.deny to control access. Alternatively, you can
set up address restrictions in the sshd.conf file. See the man pages
for the precise syntax.
So at the end I thank you all !
Long life to our list,
Ciao from Italy,
Emanuele
--
$$$ Emanuele Lombardi
$$$ mail: ENEA CLIM Casaccia
$$$ I-00060 S.M. di Galeria (RM) ITALY
$$$ mailto:emanuele.lombardi_at_casaccia.enea.it
$$$ tel +39 0630483366
$$$ fax +39 0630484264 |||
$$$ \|/ ;_;
$$$ What does a process need | /"\
$$$ to become a daemon ? | \v/
$$$ | |
$$$ - a fork o---/!\---
$$$ | |_|
$$$ | _/ \_
$$$* Contrary to popular belief, UNIX is user friendly.
$$$ It's just very particular about who it makes friends with.
$$$* Computers are not intelligent, but they think they are.
$$$* True programmers never die, they just branch to an odd address
$$$* THIS TRANSMISSION WAS MADE POSSIBLE BY 100% RECYCLED ELECTRONS
Received on Fri Mar 14 2003 - 08:11:13 NZDT