[OpenIndiana-discuss] Does OpenIndiana's sshd obeys TCP wrappers?

Hubert Garavel hubert.garavel at inria.fr
Fri Dec 28 17:30:18 UTC 2018


Hello Michal,

> looking at the patch which restores tcp-wrapper support in OpenSSH 
> (upstream removed it in v6.7), it seems to me that tcp-wrapper is used 
> only when sshd was started via inetd. 

Thanks for the info, this was helpful. On Oracle Solaris 10, the TCP
wrappers are active even when sshd is not started via inetd.

> Did you try that? (As I don't know 
> how to do that, I can't verify this assumption.)

I did not try this at once, since Oracle seems to discourages this
in its sshd manual page ("sshd is normally not run from inetd...")
https://docs.oracle.com/cd/E86824_01/html/E54764/sshd-1m.html

But I tried as you suggested, and managed to start sshd via inetd.
The trick is to use inetconv and to run "sshd -i". I can provide
detailed explanations on request.

So doing, the TCP wrappers become functional.

However, at the moment it works if sshd runs as root (i.e., no
privilege separation). But it may be possible to do better using
roles.

> Is anyone using tcp-wrapper support in OpenSSH?

The TCP wrappers are a simple yet effective protection.
OpenSSH has no replacement for it, and IPFilter is much less
easy to set up. There has been reasonable objections when OpenSSH
dropped support for TCP wrappers, see e.g.
https://marc.info/?l=openssh-unix-dev&m=139824330203546&w=4

> Unless someone speaks up, I am inclined to remove the tcp-wrapper 
> support restoration patch (as OmniOS did).

Instead, I would suggest:
    (1) to keep support for the TCP wrapper,
and
    (2) to generalize this support to the case where sshd is not started
via inetd.

This would solve the issue properly.

Best,





More information about the openindiana-discuss mailing list