tcpwrappers & SSH
Eric Schuele
e.schuele at computer.org
Wed Oct 25 19:35:41 UTC 2006
On 10/25/2006 14:13, Paul Schmehl wrote:
> --On Wednesday, October 25, 2006 13:58:27 -0500 Eric Schuele
> <e.schuele at computer.org> wrote:
>>
>> Viewed from a slightly different angle...
>>
>> If you are responsible for maintaining machine xyz, and you have used
>> tcpwrappers... chances are you'll eventually need access to that machine
>> from a location you did not previously expect. Maybe your sitting in the
>> airport and get a call that the machine is malfunctioning. Maybe you are
>> on call at a social gathering. In any case, you'll need access and if it
>> is using tcpwrappers, you may not gain access.
>>
> This is *definitely* something that you need to think through. I have
> two machines at work that are always on, so I can always ssh to them
> first, then to the server and edit the /etc/hosts.allow file to give
> myself temporary access, if needed. In general, I prefer to go through
> those hosts, rather than open another avenue that I may later forget to
> remove. Since everything I do on those servers (almost) is through ssh,
> it's not a problem for me to need an extra "hop" before I get to the box.
I'm confused. I was agreeing with you. I was simply adding another
reason as to why the author of the "Wrapping sshd(8) is not normally a
good idea" comment might have made the comment.
Are you saying that my comment above is incorrect? Or that there is a
suitable workaround for the problem in my example scenario?
I also agree that using a jump box to gain access to the machine in
question would work.
I think I've somehow missed your point. Please explain.
>
> Paul Schmehl (pauls at utdallas.edu)
> Senior Information Security Analyst
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
--
Regards,
Eric
More information about the freebsd-questions
mailing list