Problem with openssh-4.0p1 and tcp wrappers on RH7.2(Scyld)
Bengt Svensson
bsven at msi.umn.edu
Tue Apr 19 11:48:01 EST 2005
I am sorry I made a couple of typo's in my post. See below for
corrections.
On Sat, 16 Apr 2005, Darren Tucker wrote:
> Bengt Svensson wrote:
>> I have tried to update openssh-3.1p1 of our system that uses RH7.2
>> (Scyld). I is pretty much a standard Redhat 7.2 install with
>> openssl-0.9.6b, zlib-1.1.4 etc.
>>
>> I have gotten openssh to work after some initial issues, but I still have
>> not been able to get openssh/sshd to work with tcp-wrappers.
>>
>> I have in hosts.deny
>> ALL: ALL:
>
The acctual line is "ALL: ALL" I made a typo.
> That should be "ALL: ALL" without the trailing colon.
>
>> and in hosts.allow
>> ALL: localhost, 127.0.0.1, 192.168.1.
>> and still I can connect with ssh from outside that allowed ip range.
>> tcp-wrapper is working, anything else but ssh is blocked. On another
>> machine that is running the same OS but with openssh-3.1p1 the blocking
>> works.
>
> Are you using a tcpwrappers shipped with the OS (which will probably use
> /etc/hosts.{allow,deny}) or one built from source (which will probably use
> /usr/local/etc/hosts.{allow,deny})?
>
I use the tcpwrappers that shipped with the OS. The file
hosts.{allow,deny} are in /etc. And they work in blocking everything but
ssh, for example access to sendmail is blocked.
I tried to put copies of the hosts.{allow,deny} in /usr/local/etc in case
openssh-4.0p1 would be looking for the files there, but that did not help.
>> What could be the problem? Why can't I block ssh logins?
>> Can someone explain to me what is going on and how I can improve the
>> situation.
>>
>>
>> I followed the instructions in the INSTALL file and compiled a
>> openssh-4.0p1 with the following options (to match the dirs of the
>> previous version). The configure out put is attached.
>>
>> $ ./configure --prefix= --sysconfdir=/etc/ssh
>> --libexecdir=/usr/libexec/openssh --mandir=/usr/share/man
>> --with-tcp-wrappers -with-md5-passwords
>
> You're missing a "-" in front of "--with-md5-passwords".
>
I meant "--", I made a typo.
> > To get things to work I had to perform the following steps that were not
>> described in the INSTALL file. I wish the INSTALL file would have been
>> more thurough and mentioned this.
>
> Those are documented in README.privsep. Perhaps INSTALL should reference it?
>
> [...]
It certainly would be useful for newbies and others as well to have more
detailed instructions.
>> The previous version might have had PAM included, but when I add -with-pam
>> to configure. I get some more warnings at compile and an error
>
> That should be --with-pam, and building with it will require the PAM header
> files (ie the pam-devel package).
>
I had "--with-pam", I made a typo in the message.
I have the rpm for the pam-devel package installed, but still have the
problems with PAM. Do I need to specify some directories? The INSTALL did
not state that it was necessary. The configure script seems to find PAM.
$ ./configure ..... | grep pam
checking pam/pam_appl.h usability... no
checking pam/pam_appl.h presence... no
checking for pam/pam_appl.h... no
checking security/pam_appl.h usability... yes
checking security/pam_appl.h presence... yes
checking for security/pam_appl.h... yes
checking for pam_set_item in -lpam... yes
checking for pam_getenvlist... yes
checking for pam_putenv... yes
checking whether pam_strerror takes only one argument... no
This is the end part of the output from ./configure
OpenSSH has been configured with the following options:
User binaries: /bin
System binaries: /sbin
Configuration files: /etc/ssh
Askpass program: /usr/libexec/openssh/ssh-askpass
Manual pages: /usr/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
Manpage format: doc
PAM support: yes
KerberosV support: no
Smartcard support: no
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: yes
libedit support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Host: i686-pc-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized
Preprocessor flags:
Linker flags:
Libraries: -lwrap -lpam -ldl -lresolv -lcrypto -lutil -lz -lnsl -lcrypt
PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory
>> of something like 'Unsupported option' when sshd is restarted and when I
>> have UsePAM yes in the sshd_config file.
>>
>> Another issue I have found is that when enableing the 'MaxAuthTries 3'
>> option in sssh_config (as I have seen recommended) and restart sshd, I
>
> MaxAuthTries goes in sshd_config not ssh_config.
>
I made another typo. I meant the sshd_config file.
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>
Once the problem with the typo's has been clarified. Any suggestions why
openssh-4.0p1 will not work with tcpwrappers? What else could I have
missed? How can I troubelshoot this further?
My purpose for installing openssh-4.0p1 replacing openssh-3.1p1 is to
improve security. However, since I cannot get the tcpwrappers to work with
openssh-4.0p1 on our RH7.2 (Scyld) system. I may be better off reverting
back to openssh-3.1p1 where tcpwrappers works.
I'll appreciate any comments or suggestions.
Thanks,
Bengt Svensson
More information about the openssh-unix-dev
mailing list