Hi
Thomas Biege wrote:
....
Also, everything is deactivated in /etc/inetd.conf. /etc/hosts.deny is set to ALL: ALL and /etc/hosts.allow is set to sshd: ALL. That's it. Am I pretty safe,
uh, if you start sshd as standalone (not via inetd) it isn't protected by tcpd.
But it seems that in recent versions of sshd which is shipped on Suse's CD's that libwrap support is linked in, so far sshd itself consults /etc/hosts.allow and/or /etc/hosts.deny and decides if he should be called from a given IP adress.
Or am I wrong ?
This is definitely correct.
I think we need to add a small patch to the ssh package that gives a new
tcp-wrapper token: sshdfwd-all. The problem with the libwrap is that you
can't reject everything (hosts.deny: ALL : ALL) without adding a rule for
each port that you want to have forwarded by sshd. This may look like:
sshdfwd-X11: ALL : ALLOW
sshd: ALL : ALLOW
sshdfwd-1000: ALL : ALLOW
sshdfwd-443: ALL : ALLOW
There is no general directive like sshdfwd-all.
Anyway, just a small thing. There are more important issues...
Thanks,
Roman.
--
- -
| Roman Drahtmüller