Problem with openssh-4.0p1 and tcp wrappers on RH7.2(Scyld)

Darren Tucker dtucker at zip.com.au
Sat Apr 16 13:02:47 EST 2005 

Bengt Svensson wrote:
> I have tried to update openssh-3.1p1 of our system that uses RH7.2 
> (Scyld). I is pretty much a standard Redhat 7.2 install with 
> openssl-0.9.6b, zlib-1.1.4 etc.
> 
> I have gotten openssh to work after some initial issues, but I still 
> have not been able to get openssh/sshd to work with tcp-wrappers.
> 
> I have in hosts.deny
> ALL: ALL:

That should be "ALL: ALL" without the trailing colon.

> and in hosts.allow
> ALL: localhost, 127.0.0.1, 192.168.1.
> and still I can connect with ssh from outside that allowed ip range. 
> tcp-wrapper is working, anything else but ssh is blocked. On another 
> machine that is running the same OS but with openssh-3.1p1 the blocking 
> works.

Are you using a tcpwrappers shipped with the OS (which will probably use 
/etc/hosts.{allow,deny}) or one built from source (which will probably use 
/usr/local/etc/hosts.{allow,deny})?

> What could be the problem? Why can't I block ssh logins?
> Can someone explain to me what is going on and how I can improve the 
> situation.
> 
> 
> I followed the instructions in the INSTALL file and compiled a 
> openssh-4.0p1 with the following options (to match the dirs of the 
> previous version). The configure out put is attached.
> 
> $ ./configure --prefix= --sysconfdir=/etc/ssh 
> --libexecdir=/usr/libexec/openssh --mandir=/usr/share/man 
> --with-tcp-wrappers -with-md5-passwords

	You're missing a "-" in front of "--with-md5-passwords".

  > To get things to work I had to perform the following steps that were not
> described in the INSTALL file. I wish the INSTALL file would have been 
> more thurough and mentioned this.

Those are documented in README.privsep.  Perhaps INSTALL should reference it?

[...]
> The previous version might have had PAM included, but when I add 
> -with-pam to configure. I get some more warnings at compile and an error 

That should be --with-pam, and building with it will require the PAM 
header files (ie the pam-devel package).

> of something like 'Unsupported option' when sshd is restarted and when I 
> have UsePAM yes in the sshd_config file.
> 
> Another issue I have found is that when enableing the 'MaxAuthTries 3' 
> option in sssh_config (as I have seen recommended) and restart sshd, I 

MaxAuthTries goes in sshd_config not ssh_config.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list