AllowHosts / DenyHosts
Pekka Savola
pekkas at netcore.fi
Wed Feb 28 03:56:10 EST 2001
On Tue, 27 Feb 2001, Andreas Vetter wrote:
> I'd like to see a feature of the commercial ssh in openssh:
> AllowHosts xxx.yyy.xxx.yyy *.domain.net
> DenyHosts xxx.yyy.xxx.* name.domain.net
>
> This allows or denies connects from certain machines (including wildcard
> matching).
>
> Is there any chance for this feature to be included? No, we don't want to
> use tcp-wrapper for this.
I begged this for a long time half a year ago or so, but never got any
replies. So I gave up. Now I'm happily using tcp wrappers.
I've made a patch for tcp_wrappers to enable wildcard matching (from ssh
1.2.12), and to enable file includes (from freebsd). So I can't see why
tcp_wrappers should be worse than HostsAllow and friends in this aspect.
So with this you could just do:
---
sshd: /etc/ssh/ssh_hosts_allow : all
sshd: ALL : deny
---
and in /etc/ssh/ssh_hosts_allow, like:
---
xxx.yyy.x??.* name*.domain.net
---
Patches available at request. Both are in recent Red Hat Linux betas,
btw.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
More information about the openssh-unix-dev
mailing list