openssh unix dev - Apr 2005 - Problem with openssh-4.0p1 and tcp wrappers on RH7.2(Scyld)

I have tried to update openssh-3.1p1 of our system that uses RH7.2 (Scyld). 
I is pretty much a standard Redhat 7.2 install with openssl-0.9.6b, 
zlib-1.1.4 etc.

I have gotten openssh to work after some initial issues, but I still 
have not been able to get openssh/sshd to work with tcp-wrappers.

I have in hosts.deny
ALL: ALL:
and in hosts.allow
ALL: localhost, 127.0.0.1, 192.168.1.
and still I can connect with ssh from outside that allowed ip range. 
tcp-wrapper is working, anything else but ssh is blocked. 
On another machine that is running the same OS but with openssh-3.1p1 the 
blocking works.

What could be the problem? Why can't I block ssh logins?
Can someone explain to me what is going on and how I can improve the 
situation.


I followed the instructions in the INSTALL file and compiled a 
openssh-4.0p1 with the following options (to match the dirs of the 
previous version). The configure out put is attached.

$ ./configure --prefix= --sysconfdir=/etc/ssh 
--libexecdir=/usr/libexec/openssh --mandir=/usr/share/man 
--with-tcp-wrappers -with-md5-passwords
$ make
$ make install

To get things to work I had to perform the following steps that were not
described in the INSTALL file. I wish the INSTALL file would have been 
more thurough and mentioned this.

$ mkdir /var/empty
$ chown root:sys /var/empty
$ chmod 755 /var/empty
$ groupadd -g 74 sshd
$ useradd -g sshd -c 'Privilege-separated SSH' -u 74 -d /var/empty -s 
/bin/nologin sshd

I then restarted sshd with
$ /etc/init.d/sshd restart

or rebooted the system.


The previous version might have had PAM included, but when I add -with-pam 
to configure. I get some more warnings at compile and an error of 
something like 'Unsupported option' when sshd is restarted and when 
I have UsePAM yes in the sshd_config file.

Another issue I have found is that when enableing the 
'MaxAuthTries 3' option in sssh_config (as I have seen recommended) and 
restart sshd, I get the message 'Bad Configuration option' and sshd will
not start.


I would appreciate any help.

Thanks,
 	Bengt Svensson

On Fri, 15 Apr 2005, Bengt Svensson wrote:
> I have tried to update openssh-3.1p1 of our system that uses RH7.2 (Scyld).
I
> is pretty much a standard Redhat 7.2 install with openssl-0.9.6b,
zlib-1.1.4
> etc.
>
> I have gotten openssh to work after some initial issues, but I still have
not
> been able to get openssh/sshd to work with tcp-wrappers.
>
> I have in hosts.deny
> ALL: ALL:
> and in hosts.allow
> ALL: localhost, 127.0.0.1, 192.168.1.
> and still I can connect with ssh from outside that allowed ip range. 
> tcp-wrapper is working, anything else but ssh is blocked. On another
machine
> that is running the same OS but with openssh-3.1p1 the blocking works.
What happens if you put this in hosts.allow?
sshd: localhost 192.168.1.0/255.255.255.0: ALLOW
>
> What could be the problem? Why can't I block ssh logins?
> Can someone explain to me what is going on and how I can improve the 
> situation.
>
[snip]
>
-- 
Tim Rice				Multitalents	(707) 887-1469
tim at multitalents.net

Bengt Svensson wrote:
> I have tried to update openssh-3.1p1 of our system that uses RH7.2 
> (Scyld). I is pretty much a standard Redhat 7.2 install with 
> openssl-0.9.6b, zlib-1.1.4 etc.
> 
> I have gotten openssh to work after some initial issues, but I still 
> have not been able to get openssh/sshd to work with tcp-wrappers.
> 
> I have in hosts.deny
> ALL: ALL:
That should be "ALL: ALL" without the trailing colon.
> and in hosts.allow
> ALL: localhost, 127.0.0.1, 192.168.1.
> and still I can connect with ssh from outside that allowed ip range. 
> tcp-wrapper is working, anything else but ssh is blocked. On another 
> machine that is running the same OS but with openssh-3.1p1 the blocking 
> works.
Are you using a tcpwrappers shipped with the OS (which will probably use 
/etc/hosts.{allow,deny}) or one built from source (which will probably use 
/usr/local/etc/hosts.{allow,deny})?
> What could be the problem? Why can't I block ssh logins?
> Can someone explain to me what is going on and how I can improve the 
> situation.
> 
> 
> I followed the instructions in the INSTALL file and compiled a 
> openssh-4.0p1 with the following options (to match the dirs of the 
> previous version). The configure out put is attached.
> 
> $ ./configure --prefix= --sysconfdir=/etc/ssh 
> --libexecdir=/usr/libexec/openssh --mandir=/usr/share/man 
> --with-tcp-wrappers -with-md5-passwords
	You're missing a "-" in front of
"--with-md5-passwords".

  > To get things to work I had to perform the following steps that were
not
> described in the INSTALL file. I wish the INSTALL file would have been 
> more thurough and mentioned this.
Those are documented in README.privsep.  Perhaps INSTALL should reference it?

[...]
> The previous version might have had PAM included, but when I add 
> -with-pam to configure. I get some more warnings at compile and an error 
That should be --with-pam, and building with it will require the PAM 
header files (ie the pam-devel package).
> of something like 'Unsupported option' when sshd is restarted and
when I
> have UsePAM yes in the sshd_config file.
> 
> Another issue I have found is that when enableing the 'MaxAuthTries
3'
> option in sssh_config (as I have seen recommended) and restart sshd, I 
MaxAuthTries goes in sshd_config not ssh_config.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

On Wed, 20 Apr 2005, Damien Miller wrote:
> Bengt Svensson wrote:
>
>> Another note to the developers, there seems to be a problem with the -V
>> flag for sshd. I get this output.
>> 
>> $ sshd -V
>> sshd: illegal option -- V
>
> You mean "sshd -v":
Either way "sshd -v" or "sshd -V" gives the same output. The
-v or -V is
not defined.

>
>> OpenSSH_4.1, OpenSSL 0.9.7g 11 Apr 2005
>> usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g
login_grace_time]
>>             [-h host_key_file] [-k key_gen_time] [-o option] [-p port]
[-u
>> len]
>
There is also no way to get the version info for the sftp command.

 	Bengt Svensson