It will start up and run without the -i option, but with xinetd/inetd it is more efficient to take advantage of -i.
Printable View
It will start up and run without the -i option, but with xinetd/inetd it is more efficient to take advantage of -i.
I thought it worked, it doesn't.
So to recoup:
/etc/hosts.allow:
/etc/inetd.conf:Code:sshd: 192.168.178.*
sshd: *.kpn.net
sshd: *.xs4all.nl
sshd: *.kpn-gprs.nl
sshd: xx.xxx.xx.xxx
/etc/ssh/sshd_config:Code:ssh stream tcp nowait root /usr/sbin/sshd -4 -i
What works:Code:# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM no
UseDns no
- local logins
- external logins specified by IP
What does not work:
- pattern matching, i.e. letting me in while on *.kpn-gprs.nl or *.kpn.net:
So, back on square one.Code:Dec 3 14:58:59 possum sshd[22925]: warning: /etc/hosts.allow, line 14: can't verify hostname: getaddrinfo(static.kpn.net, AF_INET) failed
Who should I give the floor?
I don't know if this is relevant to this thread but here's something that indicates that hosts.allow and hosts.deny are "deprecated": http://askubuntu.com/a/23225/25656
Code:statia@quokka:~$ ldd `which sshd` | grep wrap
libwrap.so.0 => /lib/x86_64-linux-gnu/libwrap.so.0 (0x00007f982b712000)
Sorry, no extra credits for vasa1 ;-)Code:statia@possum:/var/log$ ldd `which sshd` | grep wrap
libwrap.so.0 => /lib/i386-linux-gnu/libwrap.so.0 (0xb76b1000)
Who wants to try next?
Shouldn't the hosts.allow entry be all on one line?
Code:sshd: 192.168.178.*, *.kpn.net, *.xs4all.nl, *.kpn-gprs.nl, xx.xxx.xx.xxx
OK, I am really at my wits end. Thinking something went wrong with reverse DNS, I figured out the IP-ranges my provider uses and put them in hosts.allow, like so:
Also tried with one line:Code:sshd: 192.168.178.*
sshd: *.kpn.net
sshd: *.xs4all.nl
sshd: *.kpn-gprs.nl
sshd: 188.207.0.0/0.0.127.255
sshd: 62.133.64.0/0.0.63.255
After every modification sent a KILL -1 to inetd and did a "service ssh restart"Code:sshd: 192.168.178.* , 62.133.64.0/0.0.63.255
But still:
Code:Dec 4 09:55:59 possum sshd[29736]: warning: /etc/hosts.allow, line 14: can't verify hostname: getaddrinfo(host-62-133-64-23.kpn-gprs.nl, AF_INET) failed
Dec 4 09:55:59 possum sshd[29736]: refused connect from 62.133.64.23 (62.133.64.23)
Apparently sending inetd a SIGHUP and restarting sshd is not enough.
After a reboot it works.
Leaves me with the question: how should I reread hosts.allow after a change has been made?