[OpenIndiana-discuss] Does OpenIndiana's sshd obeys TCP wrappers?

Michal Nowak mnowak at startmail.com
Fri Dec 28 19:05:19 UTC 2018 

On 12/28/18 06:30 PM, Hubert Garavel wrote:
> Hello Michal,
> 
>> looking at the patch which restores tcp-wrapper support in OpenSSH
>> (upstream removed it in v6.7), it seems to me that tcp-wrapper is used
>> only when sshd was started via inetd.
> 
> Thanks for the info, this was helpful. On Oracle Solaris 10, the TCP
> wrappers are active even when sshd is not started via inetd.
> 
>> Did you try that? (As I don't know
>> how to do that, I can't verify this assumption.)
> 
> I did not try this at once, since Oracle seems to discourages this
> in its sshd manual page ("sshd is normally not run from inetd...")
> https://docs.oracle.com/cd/E86824_01/html/E54764/sshd-1m.html
> 
> But I tried as you suggested, and managed to start sshd via inetd.
> The trick is to use inetconv and to run "sshd -i". I can provide
> detailed explanations on request.

Provide instructions here on the list, please. It may be useful to have 
the knowledge at some point.

Thanks,
Michal

> 
> So doing, the TCP wrappers become functional.
> 
> However, at the moment it works if sshd runs as root (i.e., no
> privilege separation). But it may be possible to do better using
> roles.
> 
>> Is anyone using tcp-wrapper support in OpenSSH?
> 
> The TCP wrappers are a simple yet effective protection.
> OpenSSH has no replacement for it, and IPFilter is much less
> easy to set up. There has been reasonable objections when OpenSSH
> dropped support for TCP wrappers, see e.g.
> https://marc.info/?l=openssh-unix-dev&m=139824330203546&w=4
> 
>> Unless someone speaks up, I am inclined to remove the tcp-wrapper
>> support restoration patch (as OmniOS did).
> 
> Instead, I would suggest:
>      (1) to keep support for the TCP wrapper,
> and
>      (2) to generalize this support to the case where sshd is not started
> via inetd.
> 
> This would solve the issue properly.
> 
> Best,
> 
> 
> 
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
>

More information about the openindiana-discuss mailing list