On 12/23/18 11:39 AM, Hubert Garavel wrote:
By default, support for TCP wrappers was removed from OpenSSH, unless
it is compiled with the proper option. This seems to be indeed the case
for OI's sshd:
# ldd /usr/lib/ssh/sshd
libwrap.so.1 => /usr/lib/64/libwrap.so.1
However, after setting "/etc/hosts.deny" to "ALL: ALL" and
"/etc/hosts.allow" to a single line "sendmail: localhost",
sshd still accepts incoming connections from other hosts,
whereas such incoming SSH connections should be blocked by
the TCP wrappers.
Any idea?
Hello Hubert,
looking at the patch which restores tcp-wrapper support in OpenSSH
(upstream removed it in v6.7), it seems to me that tcp-wrapper is used
only when sshd was started via inetd. Did you try that? (As I don't know
how to do that, I can't verify this assumption.)
Is anyone using tcp-wrapper support in OpenSSH?
Unless someone speaks up, I am inclined to remove the tcp-wrapper
support restoration patch (as OmniOS did).
Michal
_______________________________________________
openindiana-discuss mailing list
[email protected]
https://openindiana.org/mailman/listinfo/openindiana-discuss
