ssh & inetd

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: der.hansPLUGd@LuftHans.com
Date:  
Subject: ssh & inetd
On Sun, 5 Mar 2000, Mike Starke wrote:

> Just began experiencing something unusual and annoying:
> Whenever I go to ssh into my server at home, I can no longer
> type 'ssh mybox'. It takes forever to get to the login. If
> I use the ip number (192.168.3.1), poof, I am there. IP is
> is both hosts file. FTP works fine, and so does pop. This
> just began after an update (Debian).


ftp and pop probably aren't doing reverse lookups. sshd should be.

> Somethind else I can't figure out: SInce sshd is running in deamon
> mode, I thought tcpd/inetd.conf/hosts.allow doesn't apply. It does.


>From the sshd manpage:


SSH WITH TCP WRAPPERS
       When sshd is compiled with tcp  wrappers  libraries,  then
       the host.allow/deny files also controls who can connect to
       ports forwarded by sshd.


       The program names in the hosts.allow/deny files are  sshd­
       fwd-<portname>,  sshdfwd-<portnumber>, and sshdfwd-X11 for
       forwarded ports the ssh client or server is listening.


       If the port has name defined then you must use it.


If that's an option, you can be pretty certain that debian would include
it ;-).

> If I put the line
> sshd: mylaptop
> in hosts.allow, then I am OK. But running tcpdchk complains that
> sshd is not in inetd.conf. Have I misconfigured something.


You should file a bug against tcpdchk. Thanks for letting me know about
that one ;-), I'd completely forgotten about it.

> Item #1 is just plain annoying (typing my ip [that hasn't changed
> since Moses]), but I can still get in OK. Item 2 bothers me as I
> would like to keep hosts.allow/hosts.deny tightened down pretty
> good, but I would still like tcpdchk to not complain.
>
> Are the two related? I have checked host.conf, made sure all ip's
> are still in hosts, etc.


Probably.

> When I do a tcpdump on my laptop (from the server), I notice that
> the laptop is sending icmp packets to my nameservers.


Are your nameservers correct? Do you have reverse addressing?

If the update that you did moved from ssh-nonfree to openssh some of the
default behavior changed. I haven't experienced what you're seeing, but
I'm also pretty damned certain that my reverse lookups work ;-).

ciao,

der.hans
-- 
# +++++++++++=================================+++++++++++ #
#                    www.excelco.com #
#            http://home.pages.de/~lufthans/              #
#   I'm not anti-social, I'm pro-individual. - der.hans   #
# ===========+++++++++++++++++++++++++++++++++=========== #