tcpwrappers & SSH

doug doug at fledge.watson.org
Wed Oct 25 19:23:40 UTC 2006 


On Wed, 25 Oct 2006, Eric Schuele wrote:

> On 10/25/06 09:56, Paul Schmehl wrote:
>> --On Wednesday, October 25, 2006 12:08:26 +0400 ????? ??????? 
>> <rihad at mail.ru> wrote:
>> 
>>> A comment in /etc/hosts.allow states that:
>>> Wrapping sshd(8) is not normally a good idea
>>> 
>>> Why? Is it because such restrictions should naturally be made using a
>>> firewall/PAM/sshd itself/whatever? I think GENERIC sshd wouldn't have
>>> been built with libwrap support in the first place. Or?
>>> 
>> Because maintaining the access list can be quite ponderous if you have a 
>> lot of users.
>> 
>> I maintain a hobby website that only has two shell accounts.  I use 
>> hosts.allow for ssh because it gets rid of the brute-force crap.  But even 
>> for two users, the list of hosts/networks that are allowed is 10 or 15. 
>> Imagine what it would be if you have a hundred users...or a thousand.
>
> Viewed from a slightly different angle...
>
> If you are responsible for maintaining machine xyz, and you have used 
> tcpwrappers... chances are you'll eventually need access to that machine from 
> a location you did not previously expect.  Maybe your sitting in the airport 
> and get a call that the machine is malfunctioning.  Maybe you are on call at 
> a social gathering.  In any case, you'll need access and if it is using 
> tcpwrappers, you may not gain access.
>
> IMHO, other than the problem with needing "emergency" access, I think 
> tcpwrappers is a good thing.  I use then on my laptop for example.  As Paul 
> mentions, it gets rid of the constant hammering you would normally be subject 
> to, and I can still access it from the office or home.
>

This could be easily done in sshd_config if the order of processing the 
AllowUsers and DenyUsers directivies was optional. It is not DenyUsers takes 
precedent over AllowUsers. This effective eliminates denying access using a 
pattern.

It looks pretty easy to just switch this in the code, but the "right" way to do 
it would be to add an apache-like directive order, e.g. "order deny,allow". 
Perhaps there is something in the protocols that would disallow this function.

More information about the freebsd-questions mailing list