[Summary] Securing sshd with tcp wrappers

From: Duane M. Gran (ragnar@SolarisCentral.org)
Date: Tue Nov 09 1999 - 17:29:53 CST

Original question:

>I have searched for information regarding this, but hope someone here may
>have tried this before. I am using tcp wrappers to limit telnet and ftp
>logins to a Solaris 7 machine. It works very well. I am also using ssh
>(version 1) to improve security against packet sniffing.
>The problem is that having ssh defeats the purpose of having tcp wrappers
>since someone who gleaned a username/password could then login from
>anywhere with ssh. The sshd daemon isn't controlled from
>/etc/initd.conf, so I don't see offhand how I can use tcp wrappers to
>"wrap" the connections. Does anyone know how one might do this? Summary
>will follow...


1) Add sshd to inetd.conf. This has performance drawbacks and is not
recommended by the ssh team, however it is probably the quick and dirty
solution. One does the following with /etc/inetd.conf:

  ssh stream tcp nowait root /usr/local/sbin/tcpd
/usr/local/sbin/sshd -i

  One should make sure sshd is listed in /etc/services in addition to

2) Use the built in allow/deny features of ssh. In the /etc/sshd_config
there are directives to allow and deny various hosts. This is a good
solution, with the only drawback of maintaining two allow/deny lists.

3) Use ipfilter or other such utilities which allow you to not only deny
from certain addresses, it allows you to limit ports.

4) Compile tcp wrapper support into ssh. I am told this only works for
version 1.x, not 2.x. Yet more reason to avoid version 2 of ssh. This
is the solution I am opting for. One would do the following to compile
tcp wrapers with ssh support:

   ./configure --with-lib-wrap=/PATHOF/libwrap.a

   Edit the ssh Makefile:

   WRAPLIBS = -L/PATHOF/tcpwrappers -lwrap

   In the /etc/hosts.allow you can then do:

   sshd: <ip address>: ALLOW
   sshdfwd-X11: <ip address>: ALLOW
   sshdfwd-8000: <ip address>: ALLOW

   and in /etc/hosts.deny you do:

   sshd: ALL
   sshdfwd-X11: ALL
   sshdfwd-8000: ALL

The solution appeard to not be as elusive as I thought, and I made the
mistake of looking for the answer withing tcp wrappers, not within ssh.
A good resource was the ssh FAQ
(http://www.employees.org/~satch/ssh/faq/ssh-faq-5.html). For this I
feel a little foolish, and I thank the many list members who politely
explained these solutions. The following were very helpful:

Bevan Broun, bevanb@ee.uwa.edu.au
Sean Harding, sharding@well.com
S. Khemmanivanh, somckit@u.washington.edu
Bill Hebert, bhebert@nuc.berkeley.edu
Benno, benoit@mathematik.uni-marburg.de
Raymond Wong, negativl@netcom.com
Paul Gardner, paul@u.genie.co.uk
Sue Gray, sgray@goldridge.net
Brian Scanlan , singer@redbrick.dcu.ie
Carl Brewer, carl@bl.echidna.id.au
Matthew West, mwest@uct.ac.za
gabriel rosenkoetter, gr@cs.swarthmore.edu
Matthew Stier, Matthew.Stier@tddny.fujitsu.com
Dieter Gobbers, gobbers@faw.uni-ulm.de
Daniel Muino, dmuino@afip.gov.ar
Brad Young, byoung@splitrock.net
mark cormier, mark_cormier@harvard.edu
Ronald Loftin, reloftin@syr.edu
Palmieri Matthew R DLVA, PalmieriMR@NSWC.NAVY.MIL
RG, rg1@stingray.lauderdale.net
Igor Kolker, igor_kolker@yahoo.com
Kevin L Prigge, klp@tc.umn.edu
Jochen Bern, bern@penthesilea.uni-trier.de
Arthur Darren Dunham, add@netcom.com
David Williams, williams116@llnl.gov
Will Lowe, lowe@asel.udel.edu
Dan Stromberg, strombrg@nis.acs.uci.edu
Jeff Graham, demit@best.com

Solaris Central - We're the dot in .org


This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:32 CDT