Problem with openssh-4.0p1 and tcp wrappers on RH7.2(Scyld)
Darren Tucker
dtucker at zip.com.au
Wed Apr 20 00:16:12 EST 2005
Dan Yefimov wrote:
> On Mon, 18 Apr 2005, Bengt Svensson wrote:
>>Once the problem with the typo's has been clarified. Any suggestions why
>>openssh-4.0p1 will not work with tcpwrappers? What else could I have
>>missed? How can I troubelshoot this further?
>
> It doesn't work since while using privilege separation unprivileged part
> interacting with a client and checking access premissions runs in a chroot'ed
> environment where /etc/hosts.{allow,deny} don't exist.
That is not correct. The tcpwrappers check is immediately after the
connection is accepted and before pre-auth privsep starts, and works
fine with privsep.
> Generally speaking, privilege separation breaks many things,
> which was noticed many times on this list by different people, so unless you
> absolutely need it disable it.
That's also bad advice. If you have a problem with privsep then *report
it* so it can be fixed if possible, and only disable it if it's
necessary (which, in most cases, it's not).
Disabling privsep unilaterally is akin to removing the seatbelts and
airbags from your car because you don't think you need them (right up to
the point when there's a crash, that is, then they may save you).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list