Problem with openssh-4.0p1 and tcp wrappers on RH7.2(Scyld)

Darren Tucker dtucker at
Wed Apr 20 00:16:12 EST 2005

Dan Yefimov wrote:
> On Mon, 18 Apr 2005, Bengt Svensson wrote:
>>Once the problem with the typo's has been clarified. Any suggestions why 
>>openssh-4.0p1 will not work with tcpwrappers? What else could I have 
>>missed? How can I troubelshoot this further?
> It doesn't work since while using privilege separation unprivileged part 
> interacting with a client and checking access premissions runs in a chroot'ed 
> environment where /etc/hosts.{allow,deny} don't exist.

That is not correct.  The tcpwrappers check is immediately after the 
connection is accepted and before pre-auth privsep starts, and works 
fine with privsep.

> Generally speaking, privilege separation breaks many things, 
> which was noticed many times on this list by different people, so unless you 
> absolutely need it disable it.

That's also bad advice.  If you have a problem with privsep then *report 
it* so it can be fixed if possible, and only disable it if it's 
necessary (which, in most cases, it's not).

Disabling privsep unilaterally is akin to removing the seatbelts and 
airbags from your car because you don't think you need them (right up to 
the point when there's a crash, that is, then they may save you).

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list