Confused about tcp_wrappers and sshd

STYMA, ROBERT E (ROBERT) stymar at lucent.com
Wed Aug 24 18:40:37 UTC 2005


> 
> On 8/24/05, STYMA, ROBERT E (ROBERT) <stymar at lucent.com> wrote:
> > I just retested on FC3.  The ssh that comes
> > with the standard repos does honor the
> > /etc/hosts.allow and /etc/hosts.deny files.
> > I am not real familiar with the HOSTDENY program,
> > but if it updates /etc/hosts.deny, ssh will
> > honor it.  The tcpwrappers program also checks
> > /etc/hosts.deny and /etc/hosts.allow.
> > 
> > You can easily test this by hand.
> 
> What I did was the following:
> 
> (I am logged in via ssh on a remote host.)
> 
> 1. Open /etc/hosts.deny
> 2. Add a line that reads "sshd: 127.0.0.1"
> 3. Save and exit
> 4. 'service sshd restart'
> 5. 'ssh localhost'
> 
> The document I linked to earlier says I should get the following
> message "ssh_exchange_identification: Connection closed by remote
> host". Instead I just get a new RSA key fingerprint message.
> 
> Am I doing something wrong or is there another way to test it?
> 
> 
1.  As an aside, you do not have to restart sshd when you update
    /etc/hosts.deny and /etc/hosts.allow.
2.  /etc/hosts.allow is looked at first.  Make sure it does not
    have something in it to allow 127.0.0.1
3.  Check the /var/log/messages and /var/log/secure to see what IP
    the system thought was connecting.
4.  Try this.
     Note that changing /etc/hosts.allow and /etc/hosts.deny does
     not affect ssh connections which are already established.
     a. Put the IP address of the machine you are ssh'ing in from
        originally in the /etc/hosts.deny file and save.
     b. Try to ssh in from from another window.  It should be
        deny'ed.
     c. Take the IP out before you log off of the first session.




More information about the fedora-list mailing list