Page 1 of 2 12 LastLast
Results 1 to 10 of 25

Thread: sshd and hosts.allow

Hybrid View

  1. #1
    Join Date
    Jul 2012
    Location
    /tropics/islands/statia
    Beans
    275
    Distro
    Kubuntu 12.04 Precise Pangolin

    sshd and hosts.allow

    I am trying to make my lubuntu 12.10 box accessible from my phone.
    sshd is run with inetd (openbsd-inetd 0.20091229-2ubuntu2) and uses tcpwrappers:

    Code:
    ssh     stream  tcp     nowait  root    /usr/bin/tcpd  sshd -i
    I have enabled my domain while on mobile data:

    Code:
    sshd: 192.168.178., .xs4all.nl, .kpn-gprs.nl
    (hosts.allow)

    This does not let me in, I think because reverse DNS might not be set up by my provider.
    So:
    Code:
    echo 'UseDns no' >> /etc/ssh/sshd_config
    sshd and inetd have been restarted, but I still can't get in:

    Code:
    Nov 22 14:27:55 possum sshd[8839]: warning: /etc/hosts.allow, line 14: can't verify hostname: getaddrinfo(host-62-133-64-14.kpn-gprs.nl, AF_INET) failed
    Nov 22 14:27:55 possum sshd[8839]: refused connect from 62.133.64.14 (62.133.64.14)
    If I add the exact IP address of my mobile connection to hosts.allow I am able to connect. Connecting via the local network (192.168.178.x) also works.
    Any ideas?
    (And I just realise for the next step I need to import the keys to my phone, as password authentication has been disabled)

  2. #2
    Join Date
    Sep 2006
    Beans
    7,279
    Distro
    Lubuntu Development Release

    Re: sshd and hosts.allow

    Shouldn't hosts.allow be using * for the matching?

    Code:
    sshd: 192.168.178.*, *.xs4all.nl, *.kpn-gprs.nl

  3. #3
    Join Date
    Jul 2012
    Location
    /tropics/islands/statia
    Beans
    275
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: sshd and hosts.allow

    Not according to the manpage on my system, but I can give it a try.

    PATTERNS
    The access control language implements the following pat‐
    terns:

    · A string that begins with a `.´ character. A host name
    is matched if the last components of its name match
    the specified pattern. For example, the pattern
    `.tue.nl´ matches the host name `wzv.win.tue.nl´.

    · A string that ends with a `.´ character. A host
    address is matched if its first numeric fields match
    the given string. For example, the pattern `131.155.´
    matches the address of (almost) every host on the
    Eindhoven University network (131.155.x.x).
    EDIT:
    Scrolling further down I see wildcards may be used also, but I don't think there is a difference between .foo.com and *.foo.com.
    Last edited by Statia; November 22nd, 2012 at 03:15 PM. Reason: scrolled further down

  4. #4
    Join Date
    Jul 2012
    Location
    /tropics/islands/statia
    Beans
    275
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: sshd and hosts.allow

    This is strange. I had my NAS connected via Ethernet cable to a wireless bridge that connects (wireless obviously) to my router downstairs (http://ubuntuforums.org/showthread.php?t=2058205). Since this is slow (it's an old Linksys WRT54GL), I moved the NAS downstairs and connected it with one of the Gigabit ports on the router. Transfer speeds are 5 to 6 times faster now, but I can't connect by hostname any more:

    Code:
    statia@quokka:~$ ssh -Y possum
    ssh_exchange_identification: Connection closed by remote host
    statia@quokka:~$ ssh -Y 192.168.178.35
    Lubuntu 12.10 on EEEPC 701
    Enter passphrase for key '/home/statia/.ssh/id_rsa': 
    Last login: Tue Nov 27 09:48:22 2012 from 192.168.178.31
    Might this be related to not getting in when connecting over GPRS?
    Last edited by Statia; November 27th, 2012 at 10:15 AM. Reason: added URL

  5. #5
    Join Date
    Jul 2012
    Location
    /tropics/islands/statia
    Beans
    275
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: sshd and hosts.allow

    OK, this is now in hosts.allow:

    Code:
    sshd: *.kpn.net, *.fritz.box, 192.168.178., *.xs4all.nl, *.kpn-gprs.nl
    When I let inetd reread its configuration (kill -1 $PID), I see this in syslog:

    Code:
    Nov 27 11:19:01 possum inetd[4254]: ssh/tcp: bind: Address already in use
    Nov 27 11:21:37 possum inetd[4254]: ssh/tcp: bind: Address already in use
    Nov 27 11:25:03 possum inetd[4254]: ssh/tcp: bind: Address already in use
    Maybe because I am connected via ssh?

    Anyway, even with the asterisks no access from kpn-gprs.nl.
    No access with hostname possum, only by IP.

  6. #6
    Join Date
    Oct 2009
    Location
    Elgin, IL USA
    Beans
    2,533
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: sshd and hosts.allow

    sshd normally runs as a daemon, so maybe also configuring it inetd is the reason for "bind: Address already in use" errors.

    What resolves the "possum" name? My 2wire modem/router uses local IP to set port forwarding, but uses MAC address to keep track of it in case IP changes, and same for manual name/IP entries for DNS. My desktop, old laptop, and BluRay were using a Zyxel router configured as wireless client bridge. After accessing the Zyxel router by name the modem/router that does DNS suddenly associated traffic from my desktop as Zyxel instead of the name I gave my IP, because it saw traffic from me as coming from the Zyxel MAC. So now I use my desktop's wireless, I just need to have security key handy when installing a new Linux version.

    Maybe whatever resolved possum behind the wireless bridge cannot find it by that name directly on the main LAN because from the router point of view, its MAC address is now different.

    BTW you could use:
    Code:
    sshd: LOCAL, .xs4all.nl, .kpn-gprs.nl
    however, if sshd is using ipv6 that may throw a wrench into using ipv4 addresses in hosts.allow. I gave up on that many years ago due to that issue and simply use keys only and ALL: UNKNOWN in hosts.deny so password crack attempts are futile, and nameless IPs are totally ignored for anything.
    i5 650 3.2 GHz, 8 GB, nvidia GTX 550 Ti 32" 1080p | i7-4700, 8 GB, Intel HD 4600/nvidia GTX 765M 15.6" 1080p | etc.

  7. #7
    Join Date
    Jul 2012
    Location
    /tropics/islands/statia
    Beans
    275
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: sshd and hosts.allow

    Quote Originally Posted by Statia View Post

    Code:
    ssh     stream  tcp     nowait  root    /usr/bin/tcpd  sshd -i
    Since Openssh is compiled with tcpwrappers, I think I don't have to call inetd / tcpd separately?

    I could change this to:

    Code:
    ssh     stream  tcp     nowait  root    /usr/sbin/sshd -4
    Would that be correct?

    (Added the -4 option to only allow IPv4, to not further complicate matters)

  8. #8
    Join Date
    Sep 2006
    Beans
    7,279
    Distro
    Lubuntu Development Release

    -i

    Quote Originally Posted by Statia View Post
    Since Openssh is compiled with tcpwrappers, I think I don't have to call inetd / tcpd separately?

    I could change this to:

    Code:
    ssh     stream  tcp     nowait  root    /usr/sbin/sshd -4
    Would that be correct?

    (Added the -4 option to only allow IPv4, to not further complicate matters)
    You'd still need the -i option if it is being called by inetd or xinetd.

  9. #9
    Join Date
    Jul 2012
    Location
    /tropics/islands/statia
    Beans
    275
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: -i

    Quote Originally Posted by Lars Noodén View Post
    You'd still need the -i option if it is being called by inetd or xinetd.
    No. It works now
    I have all the access rules on separate lines, like this:

    Code:
    sshd: 192.168.178.* 
    sshd: *.kpn.net
    sshd: *.xs4all.nl
    sshd: *.kpn-gprs.nl
    sshd: xx.xxx.xx.xxx # specific IP that is allowed access
    And sshd is called only with -4, not with -i.
    Last edited by Statia; December 1st, 2012 at 10:51 AM. Reason: spelling

  10. #10
    Join Date
    Sep 2006
    Beans
    7,279
    Distro
    Lubuntu Development Release

    Re: sshd and hosts.allow

    It will start up and run without the -i option, but with xinetd/inetd it is more efficient to take advantage of -i.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •