ssh & inetd] (fwd)

Mike Starke mgcon@neta.com
Mon, 6 Mar 2000 22:07:18 -0700 (MST)


I can't thank you enough-> fixed!
It was the port that wasn't in hosts.allow!
A simple line like
sshd 8070: my_laptop
fixed the problem lickety split.

I suppose the part that threw me off was that I didn't
know sshd had the wrappers compiled in. I thought that
since it ran as a deamon, that was bypassed. Then, when
I ran tcpdchk, and it complained (still does <both the service
and the port>), I was really thrown off.

One good thing came out of this: can do hosts.deny
hosts.allow with my eyes closed now......spent so much
time in there the past couple of days
Keyboard smokes when I do a
kill -HUP <inetd pid>

I suppose tommarow I'll look into sending Weitse
a message (or probably Debian)

Mike
mgcon@getnet.com
http://www.getnet.com/~mgcon
Phoenix, AZ


> Just began experiencing something unusual and annoying:
> Whenever I go to ssh into my server at home, I can no longer
> type 'ssh mybox'. It takes forever to get to the login. If
> I use the ip number (192.168.3.1), poof, I am there. IP is
> is both hosts file. FTP works fine, and so does pop. This
> just began after an update (Debian).

ftp and pop probably aren't doing reverse lookups. sshd should be.

> Somethind else I can't figure out: SInce sshd is running in deamon
> mode, I thought tcpd/inetd.conf/hosts.allow doesn't apply. It does.

>>From the sshd manpage:

SSH WITH TCP WRAPPERS
       When sshd is compiled with tcp  wrappers  libraries,  then
       the host.allow/deny files also controls who can connect to
       ports forwarded by sshd.

       The program names in the hosts.allow/deny files are  sshd­
       fwd-<portname>,  sshdfwd-<portnumber>, and sshdfwd-X11 for
       forwarded ports the ssh client or server is listening.

       If the port has name defined then you must use it.

If that's an option, you can be pretty certain that debian would include
it ;-).

> If I put the line
> sshd: mylaptop
> in hosts.allow, then I am OK. But running tcpdchk complains that
> sshd is not in inetd.conf. Have I misconfigured something.

You should file a bug against tcpdchk. Thanks for letting me know about
that one ;-), I'd completely forgotten about it.

> Item #1 is just plain annoying (typing my ip [that hasn't changed
> since Moses]), but I can still get in OK. Item 2 bothers me as I
> would like to keep hosts.allow/hosts.deny tightened down pretty
> good, but I would still like tcpdchk to not complain.
> 
> Are the two related? I have checked host.conf, made sure all ip's
> are still in hosts, etc.

Probably.

> When I do a tcpdump on my laptop (from the server), I notice that
> the laptop is sending icmp packets to my nameservers.

Are your nameservers correct? Do you have reverse addressing?

If the update that you did moved from ssh-nonfree to openssh some of the
default behavior changed. I haven't experienced what you're seeing, but
I'm also pretty damned certain that my reverse lookups work ;-).

ciao,

der.hans
-- 
# +++++++++++=================================+++++++++++ #
#  der.hans@LuftHans.com                  www.excelco.com #
#            http://home.pages.de/~lufthans/              #
#   I'm not anti-social, I'm pro-individual. - der.hans   #
# ===========+++++++++++++++++++++++++++++++++=========== #


_______________________________________________
Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

----- End forwarded message ----