Austin Gonyou
2002-May-03 11:59 UTC
Does OpenSSH have tcp_wrappers *built-in* or just compatibility?
I was under the impression it was just compatibility, and not actually built-in, but I thought I'd ask here and just make sure of what I'm saying. :) TIA. -- Austin Gonyou Systems Architect, CCNA Coremetrics, Inc. Phone: 512-698-7250 email: austin at coremetrics.com "It is the part of a good shepherd to shear his flock, not to skin it." Latin Proverb -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: This is a digitally signed message part Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020503/69b5f070/attachment.bin
Peter Watkins
2002-May-03 12:28 UTC
Does OpenSSH have tcp_wrappers *built-in* or just compatibility?
On Fri, May 03, 2002 at 06:59:59AM -0500, Austin Gonyou wrote:> I was under the impression it was just compatibility, and not actually > built-in, but I thought I'd ask here and just make sure of what I'm > saying. :) TIA.OpenSSH and tcp_wrappers are separate software packages. OpenSSH can be built against the tcp_wrappers library (if tcp_wrappers is available on your system) so that the resulting binaries support tcp_wrappers' access control mechanisms. Normally tcp_wrappers is compiled as an archive, libwrap.a, so that if OpenSSH is compiled with tcp_wrappers support, tcp_wrappers is literally built-in (using Wietse Venema's code) to the resulting binaries, though some systems provide tcp_wrappers as a shared object and use standard dynamic linking mechanisms to add tcp_wrappers functionality to their applications. Wietse, if you're here, I'd love to hear what you think about libwrap.a vs libwrap.so. :-) -- Peter Watkins - peterw at tux.org - peterw at usa.net - http://www.tux.org/~peterw/ Private personal mail: use PGP key F4F397A8; more sensitive data? Use 2D123692
Darren Tucker
2002-May-04 04:22 UTC
Does OpenSSH have tcp_wrappers *built-in* or just compatibility?
Austin Gonyou wrote:> Yeah..we thought about that..but it's really not *hard* enough. Since > they will still have access to multiple other solaris boxes to be able > to make portable binaries with and /tmp is useable by all. Though > solaris ACLs would take care of that, it's not a good first step for our > production environment. I think we are on the same wavelength though. :) > > On Fri, 2002-05-03 at 08:57, Darren Tucker wrote: > > Austin Gonyou wrote: > > > On solaris 8, that would probably be something we could do. We're > > > looking into how we can limit specific users from being able to ssh > > out > > > of a box, and someone mentioned tcp_wrappers being built into OpenSSH. > > > > Assuming they can't copy their own binaries onto the box how about > > "chgrp sshusers ssh; chmod o-rwx ssh"?OK, how about this: 1) Install the real ssh setuid root, gid sshusers, mode 4110. 2) Set "UsePrivilegedPort" to "yes". 3) Arrange for a firewall/router/local packet filter to drop all outbound tcp connections on port 22 with a source port >1023. This will also defeat using a forwarder (like netcat) from an internal box: ProxyCommand ssh gatewayhost nc externalhost 22 You could also mount /home, /tmp and /var noexec. This would stop someone copying another ssh and getting an external server to run sshd on another port (eg 443). It'd be a lot easier to use "userdel" :-) Once you've got collusion on both sides it's very hard to stop. -Daz.