hosts.allow ?
Wes Santee
wsantee at gmail.com
Sun Mar 19 17:45:39 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Karol Kwiatkowski wrote:
> Gerard Seibert wrote:
>> Chris Maness wrote:
>>
>>> Also, sshd can't be started in rc.conf, it has to be started in
>>> inetd.conf. Make sure you do a /etc/rc.d/inetd restart after you
>>> make changes.
>> Just out of curiosity, why can 'sshd' not be started from the
>> '/etc/rc.conf' file?
>
> Because Chris wants to limit sshd's connections with 'hosts.allow'
> thing. Correct me if I'm wrong but my understanding is that inetd will
> start ssh daemon every time new connection is made and that's why it's
> not recommended (as written in default hosts.allow file). The
> alternative is running sshd as a daemon and limit connections with,
> say, pf's overload, max-src-conn and max-src-conn-rate.
I'm not sure this is correct. If you read sshd(8), you'll see in the
FILES section that sshd will read /etc/hosts.allow and /etc/hosts.deny
on its own (i.e. it's compiled/linked with libwrap). Looking at
/usr/src/crypto/openssh/Makefile.in for the sshd target verifies this.
That's not to say that some work to sshd isn't required to get it to
work outside of inetd.conf. After hosts.allow is updated, you may need
to send a persistent sshd daemon a HUP to re-read config files, or
something along those lines. I'm not familiar with whether or not the
functions in libwrap automatically detect changes to the hosts.allow
file, or it's read only when the initialize routines in the library are
called.
Cheers,
- -Wes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
iQIVAwUBRB2Ykorq8W17hxGfAQhLbQ//YUH/5DRkecpzl/EwJvwjv0n7N5T3+wU9
u4nzk8We4RGvChcdic5lIbFZxzZbdPQnm9iICAkqgrwC120yTukyD8eb33Awmrdc
CO6FvXnJegvFmf14QONiQRpKj9W6T7RSUq/vhcJJytWSbsYY75JLM7ZEntxp77c6
qQuIYxMpWkopr97xKTw2rGHQbsKW4LxI4ES7U8iAN208F71f9JcFQVB4KiTMdnxD
BdZ+XFHATvHX9OlUTuNE18XP5DrqTJ0n1jPlSH3JuhknaVt+WOVEcG7Zpmewgy+w
GoZJzNJU5+3uLHVUE3APqbQFaBcIZz4VRYVsW0cYWnluQwJcFNF7xwojApvNbGQ+
ojByLHx1Zo3lWdH50us6Cvddrep5iFF03xNpNDxHKDyIq9QopF00uYGCNBU/j238
B/pEj4XlBgduBUsiL7lgegGi95i2XvfIUSJuVQ2gHdvG+DWiFKpMVhumM5E6gj0G
JvKwsfnlBtjzdQ7IeDMrMb0Hlb1x2j4yy7S5xskM/NRcm3dkkVU9kNL9Dwxh5gS0
kA/Sm83hSNaT/Lc11Tqmd2GbQc9jFKhI7l5SM0Camc6ibRK6V2zlMMWWMfT1midQ
qw3gYqXqJ3bxLp5ekvfStbJUG760ILABalytPIDDzK+jfnBRgH7tVBx+Gc2yHest
ayn1YC28zig=
=TMQo
-----END PGP SIGNATURE-----
More information about the freebsd-questions
mailing list