SSH Frequently Asked Questions
I'm trying to use TCP wrappers (libwrap), but it doesn't work.
Compile SSH with libwrap (
configure --with-libwrap[=path]
).
Note that using SSH TCP-wrappers support does not involve using the program tcpd, even if you are starting sshd from inetd. tcpd is a wrapper for programs that don't use libwrap; the SSH code calls the libwrap routines to make the access checks itself.
libwrap is always in use if sshd was compiled with libwrap
support; it can't be turned off. This means that you must have a libwrap
configuration (/etc/hosts.{allow,deny}
) which allows SSH
connections in order for sshd to work properly. Missing or empty
files are equivalent to no blocks, that is, all connections allowed.
Read the relevant man pages carefully: hosts_access(5) and hosts_options(5). The rules are order-dependent and can be tricky to get right. Start with a simple configuration that works, then extend it a bit at time, testing as you go.
Another gotcha is naming screwups. If you use names instead of addresses
in the libwrap control files, then be sure those names correspond to the
correct addresses. For example, here's an /etc/hosts
file
with a common mistake:
# # /etc/hosts -- Internet host table # 127.0.0.1 fred.flintstone.org localhost 192.168.10.1 fred.flintstone.org fredThe mistake is including fred.flintstone.org on the line with the loopback address (127.0.0.1), and worse, making it the first entry. Suppose you have TCP-wrapper rules like this:
# # /etc/hosts.allow # daemon : localhost : ALLOW ALL : ALL : DENYThis is supposed to limit access to the "daemon" service to connections from the loopback address. But when the checking program looks up the name corresponding to the loopback address, it will get "fred.flintstone.org" instead of "localhost", and the connection will be denied by this configuration.
Here is a sample hosts.allow
file:
# # /etc/hosts.allow # # network access control for programs invoked by tcpd (see inetd.conf) or # using libwrap. See hosts_access(5) and hosts_options(5). # restrict X forwarding access to this host # (not available in OpenSSH) sshdfwd-x11 : localhost this.host.net sshdfwd-x11 : ALL : DENY # otherwise, allow all connections from my networks or loopback ALL : 192.168.1.0/255.255.255.0 \ 192.168.2.0/255.255.255.0 \ localhost # allow connections to these services from anywhere # (the names are those of the running daemons; that is, their argv[0] # values) ipop3d sshd1 sshd2 sshd : ALL # allow remote access to port 2001 from host remote.domain.net, when # forwarded by SSH with -g (not available in OpenSSH) sshdfwd-2001 : remote.domain.net # deny everything else ALL : ALL : DENY