openssh can be compiled with tcp-wrappers support and then an entry put in /etc/hosts.allow like sshd: 192.168.1. : ALLOW compile openssh with the following option ./configure --with -tcp-wrappers On Wednesday 24 September 2003 08:56, Simon Oliver wrote:
--> There is also a "Hosts" directive to restrict logins to specific IP addresses.
It is not documented and when I tried it (on a box running OpenSSH_3.4p1) sshd start failed, complaining about the Hosts directive (perhaps I formatted it incorrectly).
I did get it working with the AllowUsers directive:
AllowUsers *@*.my.domain
Using this method I find that it still gives the user a login prompt (but always rejects their login unless they are within *.my.domain). Assuming I can trust all machines in *.my.domain, will this actually protect from the vulnerability? At what point in the connection process does the exploit occur - presumably prior to login?
-- Simon Oliver
-- Chad Whitten Network/Systems Administrator neXband Communications cwhitten@nexband.com