Re: [suse-security] PAM and tcp wrappers
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hello what u r referring to is the vanilla config of tcpd, i use it, everyone uses that. i'm not saying that. servers without tcpd is unthinkable.. almost. xinetd promises to phase it out, but the point i'm making is to filter it after the login process runs. the client should never know what cut the connection, whether it's the login, the ip address, the time.. the more the tcpd is hidden the better. tcpd is indispensible ;) cheers cheedu On Thu, 12 Oct 2000, none none wrote:
tcp wrappers can be use to "filtered" the services running on inetd.conf using those files: /etc/hosts.allow and /etc/hosts.deny. you just to indicate the service to call tcp-wrappers on inetd.conf.
From: Sridhar
Reply-To: omicron@symonds.net To: suse-security@suse.com Subject: [suse-security] PAM and tcp wrappers Date: Thu, 12 Oct 2000 23:46:07 +0530 (IST) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
hello i just wonder if tcp wrappers can be used in pam authentication. For instance, in case of services where authentication is required, like ssh,telnet, ftp, rlogin, is it possible to deny a login based on the person's ipaddress, or execute a command like the tcp wrappers. If somebody's portscanning me for interesting ports, it would definitely be helpful if he thinks the ports are open for him, but whatever he does, he cannot get in. I wud indeed prefer tcp wrappers to be _behind_ the login . Has it been done ? That would beat the hell out of nmap ;)
regards cheedu
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (GNU/Linux) Comment: For info see http://www.gnupg.org
iD8DBQE55f/wrHJM2EAbaXwRAiviAJ4nemb4Ps8u84m9gvI06yMi8RUw3wCgo1KR M+lyKdH2lyyGufsMsrIsIpg= =VV11 -----END PGP SIGNATURE-----
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
_________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at http://profiles.msn.com.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE56F0irHJM2EAbaXwRAvT4AJ9k6566VZtnK3IrPj79bn17hoM3lQCfQbns lsNdSeP1kpQ0s91L1swL1PE= =l8NX -----END PGP SIGNATURE-----
On Sat, Oct 14, 2000 at 18:48 +0530, Sridhar wrote:
what u r referring to is the vanilla config of tcpd, i use it, everyone uses that.
I guess you talk about blocking the connection before seeing anything of the service due to IP parameters.
i'm not saying that. servers without tcpd is unthinkable.. almost. xinetd promises to phase it out, but the point i'm making is to filter it after the login process runs. the client should never know what cut the connection, whether it's the login, the ip address, the time.. the more the tcpd is hidden the better. tcpd is indispensible ;)
Then you might want to stack up something like tcpserver -> checkpasswd -> service w/o (explicit) auth This way you can swap in whatever checkpasswd implementation you like or whatever "knows best" about the (to follow) service's auth protocol. And it unfortunately means to fiddle with the services to rip the auth out or to make it look at variables or something passed from the checkpasswd. Since you have those extra wishes, you should not moan about the extra work they cause you. :) tcpserver is part of the ucspi-tcp package (start to read at http://cr.yp.to) and checkpasswd is usually found in the qmail-pop3d environment (at DJB, too, or at http://www.qmail.org and friends). The above architecture is BTW really great for selfmade services: Just write something that reads from stdin and writes to stdout. Plug it onto the net with a simple "tcpserver host port prog" command. And put (any!) auth into the chain by dropping checkpasswd in. They're available for passwd / shadow, LDAP, db / cdb / any textfile, maybe PAM too). vpopmail does virtual email domains with it. As DJB states "modularity is not a hack".
[ ... fullquote snipped, do that yourself next time! ... ]
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
participants (2)
-
Gerhard Sittig
-
Sridhar