Does OpenSSH have tcp_wrappers *built-in* or just compatibility?

Darren Tucker dtucker at
Sat May 4 14:22:03 EST 2002

Austin Gonyou wrote:
> Yeah..we thought about that..but it's really not *hard* enough. Since
> they will still have access to multiple other solaris boxes to be able
> to make portable binaries with and /tmp is useable by all. Though
> solaris ACLs would take care of that, it's not a good first step for our
> production environment. I think we are on the same wavelength though. :)
> On Fri, 2002-05-03 at 08:57, Darren Tucker wrote:
> > Austin Gonyou wrote:
> > > On solaris 8, that would probably be something we could do. We're
> > > looking into how we can limit specific users from being able to ssh
> > out
> > > of a box, and someone mentioned tcp_wrappers being built into OpenSSH.
> >
> > Assuming they can't copy their own binaries onto the box how about
> > "chgrp sshusers ssh; chmod o-rwx ssh"?

OK, how about this:

1) Install the real ssh setuid root, gid sshusers, mode 4110.

2) Set "UsePrivilegedPort" to "yes".

3) Arrange for a firewall/router/local packet filter to drop all
outbound tcp connections on port 22 with a source port >1023.

This will also defeat using a forwarder (like netcat) from an internal
ProxyCommand ssh gatewayhost nc externalhost 22

You could also mount /home, /tmp and /var noexec. This would stop
someone copying another ssh and getting an external server to run sshd
on another port (eg 443).

It'd be a lot easier to use "userdel" :-) Once you've got collusion on
both sides it's very hard to stop.


More information about the openssh-unix-dev mailing list