Problem with openssh-4.0p1 and tcp wrappers on RH7.2(Scyld)

Bengt Svensson bsven at
Tue Apr 19 11:48:01 EST 2005

I am sorry I made a couple of typo's in my post. See below for 

On Sat, 16 Apr 2005, Darren Tucker wrote:

> Bengt Svensson wrote:
>> I have tried to update openssh-3.1p1 of our system that uses RH7.2 
>> (Scyld). I is pretty much a standard Redhat 7.2 install with 
>> openssl-0.9.6b, zlib-1.1.4 etc.
>> I have gotten openssh to work after some initial issues, but I still have 
>> not been able to get openssh/sshd to work with tcp-wrappers.
>> I have in hosts.deny
>> ALL: ALL:

The acctual line is "ALL: ALL" I made a typo.

> That should be "ALL: ALL" without the trailing colon.
>> and in hosts.allow
>> ALL: localhost,, 192.168.1.
>> and still I can connect with ssh from outside that allowed ip range. 
>> tcp-wrapper is working, anything else but ssh is blocked. On another 
>> machine that is running the same OS but with openssh-3.1p1 the blocking 
>> works.
> Are you using a tcpwrappers shipped with the OS (which will probably use 
> /etc/hosts.{allow,deny}) or one built from source (which will probably use 
> /usr/local/etc/hosts.{allow,deny})?

I use the tcpwrappers that shipped with the OS. The file 
hosts.{allow,deny} are in /etc. And they work in blocking everything but 
ssh, for example access to sendmail is blocked.
I tried to put copies of the hosts.{allow,deny} in /usr/local/etc in case 
openssh-4.0p1 would be looking for the files there, but that did not help.

>> What could be the problem? Why can't I block ssh logins?
>> Can someone explain to me what is going on and how I can improve the 
>> situation.
>> I followed the instructions in the INSTALL file and compiled a 
>> openssh-4.0p1 with the following options (to match the dirs of the 
>> previous version). The configure out put is attached.
>> $ ./configure --prefix= --sysconfdir=/etc/ssh 
>> --libexecdir=/usr/libexec/openssh --mandir=/usr/share/man 
>> --with-tcp-wrappers -with-md5-passwords
> 	You're missing a "-" in front of "--with-md5-passwords".

I meant "--", I made a typo.

> > To get things to work I had to perform the following steps that were not
>> described in the INSTALL file. I wish the INSTALL file would have been 
>> more thurough and mentioned this.
> Those are documented in README.privsep.  Perhaps INSTALL should reference it?
> [...]

It certainly would be useful for newbies and others as well to have more 
detailed instructions.

>> The previous version might have had PAM included, but when I add -with-pam 
>> to configure. I get some more warnings at compile and an error 
> That should be --with-pam, and building with it will require the PAM header 
> files (ie the pam-devel package).

I had "--with-pam", I made a typo in the message.

I have the rpm for the pam-devel package installed, but still have the 
problems with PAM. Do I need to specify some directories? The INSTALL did 
not state that it was necessary. The configure script seems to find PAM.
$ ./configure ..... | grep pam
checking pam/pam_appl.h usability... no
checking pam/pam_appl.h presence... no
checking for pam/pam_appl.h... no
checking security/pam_appl.h usability... yes
checking security/pam_appl.h presence... yes
checking for security/pam_appl.h... yes
checking for pam_set_item in -lpam... yes
checking for pam_getenvlist... yes
checking for pam_putenv... yes
checking whether pam_strerror takes only one argument... no

This is the end part of the output from ./configure

OpenSSH has been configured with the following options:
                      User binaries: /bin
                    System binaries: /sbin
                Configuration files: /etc/ssh
                    Askpass program: /usr/libexec/openssh/ssh-askpass
                       Manual pages: /usr/share/man/manX
                           PID file: /var/run
   Privilege separation chroot path: /var/empty
             sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
                     Manpage format: doc
                        PAM support: yes
                  KerberosV support: no
                  Smartcard support: no
                      S/KEY support: no
               TCP Wrappers support: yes
               MD5 password support: yes
                    libedit support: no
        IP address in $DISPLAY hack: no
            Translate v4 in v6 hack: yes
                   BSD Auth support: no
               Random number source: OpenSSL internal ONLY

               Host: i686-pc-linux-gnu
           Compiler: gcc
     Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized
Preprocessor flags:
       Linker flags:
          Libraries: -lwrap -lpam -ldl -lresolv -lcrypto -lutil -lz -lnsl -lcrypt

PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/

>> of something like 'Unsupported option' when sshd is restarted and when I 
>> have UsePAM yes in the sshd_config file.
>> Another issue I have found is that when enableing the 'MaxAuthTries 3' 
>> option in sssh_config (as I have seen recommended) and restart sshd, I 
> MaxAuthTries goes in sshd_config not ssh_config.

I made another typo. I meant the sshd_config file.

> -- 
> Darren Tucker (dtucker at
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>    Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.

Once the problem with the typo's has been clarified. Any suggestions why 
openssh-4.0p1 will not work with tcpwrappers? What else could I have 
missed? How can I troubelshoot this further?

My purpose for installing openssh-4.0p1 replacing openssh-3.1p1 is to 
improve security. However, since I cannot get the tcpwrappers to work with 
openssh-4.0p1 on our RH7.2 (Scyld) system. I may be better off reverting 
back to openssh-3.1p1 where tcpwrappers works.

I'll appreciate any comments or suggestions.

 	Bengt Svensson

More information about the openssh-unix-dev mailing list