I'd like to see a feature of the commercial ssh in openssh: AllowHosts xxx.yyy.xxx.yyy *.domain.net DenyHosts xxx.yyy.xxx.* name.domain.net This allows or denies connects from certain machines (including wildcard matching). Is there any chance for this feature to be included? No, we don't want to use tcp-wrapper for this. Bye. +-------------------------------------------------------------------------+ Andreas Vetter Universitaet Wuerzburg Telefon: [++49] (931) 888-5723 Institut fuer Theoretische Physik Telefax: [++49] (931) 888-5141 Theoretische Physik I Am Hubland E-mail: vetter at physik.uni-wuerzburg.de D-97074 Wuerzburg +-------------------------------------------------------------------------+
On Tue, 27 Feb 2001, Andreas Vetter wrote:> I'd like to see a feature of the commercial ssh in openssh: > AllowHosts xxx.yyy.xxx.yyy *.domain.net > DenyHosts xxx.yyy.xxx.* name.domain.net > > This allows or denies connects from certain machines (including wildcard > matching). > > Is there any chance for this feature to be included? No, we don't want to > use tcp-wrapper for this.I begged this for a long time half a year ago or so, but never got any replies. So I gave up. Now I'm happily using tcp wrappers. I've made a patch for tcp_wrappers to enable wildcard matching (from ssh 1.2.12), and to enable file includes (from freebsd). So I can't see why tcp_wrappers should be worse than HostsAllow and friends in this aspect. So with this you could just do: --- sshd: /etc/ssh/ssh_hosts_allow : all sshd: ALL : deny --- and in /etc/ssh/ssh_hosts_allow, like: --- xxx.yyy.x??.* name*.domain.net --- Patches available at request. Both are in recent Red Hat Linux betas, btw. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
On Tue, Feb 27, 2001 at 05:41:55PM +0100, Andreas Vetter wrote:> I'd like to see a feature of the commercial ssh in openssh: > AllowHosts xxx.yyy.xxx.yyy *.domain.net > DenyHosts xxx.yyy.xxx.* name.domain.net > > This allows or denies connects from certain machines (including wildcard > matching). > > Is there any chance for this feature to be included? No, we don't want to > use tcp-wrapper for this.why should every feature, even if there exist special solutions, included in openssh? you can deny ip-addresses with tcp-wrapper, ipfw, ipf, etc, etc.
Folks, Dan Kaminsky wrote:> There is, of course, the inevitable problem. If you can't *trust* IP >addresses, just user authenticators, then what are you doing switching your >configurations based on addresses? I'd like to stick to cryptographic >keys--finally, a genuine use for rhostsrsa?--but clearly we can enhance >security by ruling out entire swaths of attackers simply due to their >unspoofed address space.Sounds a bit like what I proposed back in August:>It seemed to me that it would be useful to be able to control access to >my server with the /etc/ssh_known_hosts file, using RSA authentication >of the remote host. But the protocol only allows RSA host authentication >in conjunction with rhosts, while I prefer RSA user authentication. > >I've made a patch to the server which adds a new configuration option: >RSAHostOtherAuthentication. When this option is enabled RSA host >authentication is turned on, but without the rhosts check. Also, RSA >host authentication on its own is insufficient to authenticate the user. >The server also requires one other authentication method to succeed. >It doesn't matter which, and the order in which the methods are tried >doesn't matter. > >With this modified server I can enable RSA authentication of both the >remote host and the user. This only works if the client is willing to >try different authentication methods if the first doesn't succeed. > >I'm happy with this, but does it make sense? Is there any obvious flaw?The patch against 2.1.1p4 is in the list archive: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=96538738531641&w=2 Ron
Markus Friedl wrote:> > On Wed, Feb 28, 2001 at 09:57:11AM +0100, Andreas Vetter wrote: > > Tcp-wrappers are invoked by inetd, so when there is a DoS-attack against > > the inetd (usually this is done port by port): game over. > > tcp-wrappers are not at all related to inetd. > they only can be used with inetd. you don't > need inetd if you want to use sshd + tcpwrappers > since sshd uses libwrap directly.I agree. I don't think we need a AllowHosts/DenyHosts. tcp-wrappers compile easily even on old system (AIX 3), and do the job just fine. -- Laurent Papier - Admin. systeme Sdv Plurimedia - <http://www.sdv.fr>