[OpenIndiana-discuss] Does OpenIndiana's sshd obeys TCP wrappers?
Hubert Garavel
hubert.garavel at inria.fr
Sat Dec 29 07:21:42 UTC 2018
>> But I tried as you suggested, and managed to start sshd via inetd.
>> The trick is to use inetconv and to run "sshd -i". I can provide
>> detailed explanations on request.
>
> Provide instructions here on the list, please. It may be useful to have
> the knowledge at some point.
OK. I still insist that TCP wrappers should be effective even
if OpenSSH is not started by inetd. This would make OpenIndiana
compatible with Oracle Solaris, where sshd is always protected
by the TCP wrappers ("The Secure Shell (ssh)and sendmail features
of Oracle Solaris are configured to use TCP wrappers").
https://docs.oracle.com/cd/E37838_01/html/E61019/sec-net.html
-o-o-o-o-o-o-o-
These are instructions to start OpenSSH via inetd.
The reservations found in the Oracle manual page about sshd too slow
when started via inetd (see option "-i") seem only relevant for
SSH v1, not SSH v2. The manual page is probably obsolete on this
point.
The standard SSH service started by svc.startd is named
svc:/network/ssh:default. The new SSH service started by inetd
will be named svc:/network/ssh/tcp:default (i.e., "ssh/tcp"
rather than "ssh").
0) Make sure that "ssh" is declared in /etc/services and "sshd"
in /etc/passwd.
1) Stop the old service
svcadm disable svc:/network/ssh
2) Create a temporary file /tmp/inetd.ssh containing only one line:
ssh stream tcp nowait root /usr/lib/ssh/sshd sshd -i
See "man -s 4 inetd.conf" for explanations.
Note: ideally, "root" should be replaced by "sshd" to get
privilege separation, and roles should be used. Not done,
as I think that protecting OpenSSH with TCP wrappers even
when it is called without option -i will solve the issue
and avoid launching sshd via inetd.
3) Run the command
inetconv -i /tmp/inetd.ssh
which creates the following manifest file
/lib/svc/manifest/network/ssh-tcp.xml
4) Enable the new SSH service
inetadm -e svc:/network/ssh/tcp:default
5) Refresh the inetd service:
svcadm refresh inetd
6) Check that the new service is ok
inetadm -l /network/ssh/tcp
In particular, tcp_wrappers should be TRUE if TCP
wrappers have been set properly for inetd.
More information about the openindiana-discuss
mailing list