Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Re: [suse-security] Portable OpenSSH Security Advisory: sshpam.adv
  • From: Chad Whitten <dog@xxxxxxxxx>
  • Date: Wed, 24 Sep 2003 09:34:15 -0500
  • Message-id: <200309240934.15033.dog@xxxxxxxxx>
openssh can be compiled with tcp-wrappers support and then an entry put in
/etc/hosts.allow like
sshd: 192.168.1. : ALLOW

compile openssh with the following option
./configure --with -tcp-wrappers


On Wednesday 24 September 2003 08:56, Simon Oliver wrote:
> > --> There is also a "Hosts" directive to restrict logins to specific
> > IP addresses.
>
> It is not documented and when I tried it (on a box running
> OpenSSH_3.4p1) sshd start failed, complaining about the Hosts directive
> (perhaps I formatted it incorrectly).
>
> I did get it working with the AllowUsers directive:
>
> AllowUsers *@*.my.domain
>
> Using this method I find that it still gives the user a login prompt
> (but always rejects their login unless they are within *.my.domain).
> Assuming I can trust all machines in *.my.domain, will this actually
> protect from the vulnerability? At what point in the connection process
> does the exploit occur - presumably prior to login?
>
> --
> Simon Oliver

--
Chad Whitten
Network/Systems Administrator
neXband Communications
cwhitten@xxxxxxxxxxx

< Previous Next >