Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: sshd and hosts.allow

  1. #11
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: sshd and hosts.allow

    It will start up and run without the -i option, but with xinetd/inetd it is more efficient to take advantage of -i.

  2. #12
    Join Date
    Jul 2012
    Location
    /tropics/islands/statia
    Beans
    275
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: sshd and hosts.allow

    I thought it worked, it doesn't.

    So to recoup:

    /etc/hosts.allow:

    Code:
    sshd: 192.168.178.* 
    sshd: *.kpn.net
    sshd: *.xs4all.nl
    sshd: *.kpn-gprs.nl
    sshd: xx.xxx.xx.xxx
    /etc/inetd.conf:

    Code:
    ssh     stream  tcp     nowait  root    /usr/sbin/sshd -4 -i
    /etc/ssh/sshd_config:

    Code:
    # What ports, IPs and protocols we listen for
    Port 22
    # Use these options to restrict which interfaces/protocols sshd will bind to
    #ListenAddress ::
    #ListenAddress 0.0.0.0
    Protocol 2
    # HostKeys for protocol version 2
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key
    #Privilege Separation is turned on for security
    UsePrivilegeSeparation yes
    
    # Lifetime and size of ephemeral version 1 server key
    KeyRegenerationInterval 3600
    ServerKeyBits 768
    
    # Logging
    SyslogFacility AUTH
    LogLevel INFO
    
    # Authentication:
    LoginGraceTime 120
    PermitRootLogin no
    StrictModes yes
    
    RSAAuthentication yes
    PubkeyAuthentication yes
    #AuthorizedKeysFile     %h/.ssh/authorized_keys
    
    # Don't read the user's ~/.rhosts and ~/.shosts files
    IgnoreRhosts yes
    # For this to work you will also need host keys in /etc/ssh_known_hosts
    RhostsRSAAuthentication no
    # similar for protocol version 2
    HostbasedAuthentication no
    # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
    #IgnoreUserKnownHosts yes
    
    # To enable empty passwords, change to yes (NOT RECOMMENDED)
    PermitEmptyPasswords no
    
    # Change to yes to enable challenge-response passwords (beware issues with
    # some PAM modules and threads)
    ChallengeResponseAuthentication no 
    
    # Change to no to disable tunnelled clear text passwords
    PasswordAuthentication no 
    
    
    X11Forwarding yes
    X11DisplayOffset 10
    PrintMotd yes
    PrintLastLog yes
    TCPKeepAlive yes
    #UseLogin no
    
    #MaxStartups 10:30:60
    Banner /etc/issue.net
    
    # Allow client to pass locale environment variables
    AcceptEnv LANG LC_*
    
    Subsystem sftp /usr/lib/openssh/sftp-server
    
    UsePAM no 
    UseDns no
    What works:
    - local logins
    - external logins specified by IP

    What does not work:
    - pattern matching, i.e. letting me in while on *.kpn-gprs.nl or *.kpn.net:

    Code:
    Dec  3 14:58:59 possum sshd[22925]: warning: /etc/hosts.allow, line 14: can't verify hostname: getaddrinfo(static.kpn.net, AF_INET) failed
    So, back on square one.
    Who should I give the floor?

  3. #13
    Join Date
    Dec 2007
    Beans
    12,521

    Re: sshd and hosts.allow

    I don't know if this is relevant to this thread but here's something that indicates that hosts.allow and hosts.deny are "deprecated": http://askubuntu.com/a/23225/25656

  4. #14
    Join Date
    Jul 2012
    Location
    /tropics/islands/statia
    Beans
    275
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: sshd and hosts.allow

    Quote Originally Posted by vasa1 View Post
    I don't know if this is relevant to this thread but here's something that indicates that hosts.allow and hosts.deny are "deprecated": http://askubuntu.com/a/23225/25656
    Code:
    statia@quokka:~$ ldd `which sshd` | grep wrap
            libwrap.so.0 => /lib/x86_64-linux-gnu/libwrap.so.0 (0x00007f982b712000)
    Code:
    statia@possum:/var/log$ ldd `which sshd` | grep wrap
            libwrap.so.0 => /lib/i386-linux-gnu/libwrap.so.0 (0xb76b1000)
    Sorry, no extra credits for vasa1
    Who wants to try next?

  5. #15
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: sshd and hosts.allow

    Shouldn't the hosts.allow entry be all on one line?

    Code:
    sshd: 192.168.178.*, *.kpn.net, *.xs4all.nl, *.kpn-gprs.nl, xx.xxx.xx.xxx

  6. #16
    Join Date
    Jul 2012
    Location
    /tropics/islands/statia
    Beans
    275
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: sshd and hosts.allow

    Quote Originally Posted by Lars Noodén View Post
    Shouldn't the hosts.allow entry be all on one line?
    It looks like both work.
    If I add a line with my exact IP while on GPRS, I can get in.
    I got the idea of multiple lines from some other link posted here.

  7. #17
    Join Date
    Jul 2012
    Location
    /tropics/islands/statia
    Beans
    275
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: sshd and hosts.allow

    OK, I am really at my wits end. Thinking something went wrong with reverse DNS, I figured out the IP-ranges my provider uses and put them in hosts.allow, like so:

    Code:
    sshd: 192.168.178.* 
    sshd: *.kpn.net
    sshd: *.xs4all.nl
    sshd: *.kpn-gprs.nl
    sshd: 188.207.0.0/0.0.127.255 
    sshd: 62.133.64.0/0.0.63.255
    Also tried with one line:

    Code:
    sshd: 192.168.178.* , 62.133.64.0/0.0.63.255
    After every modification sent a KILL -1 to inetd and did a "service ssh restart"

    But still:

    Code:
    Dec  4 09:55:59 possum sshd[29736]: warning: /etc/hosts.allow, line 14: can't verify hostname: getaddrinfo(host-62-133-64-23.kpn-gprs.nl, AF_INET) failed
    Dec  4 09:55:59 possum sshd[29736]: refused connect from 62.133.64.23 (62.133.64.23)
    Last edited by Statia; December 4th, 2012 at 10:24 AM.

  8. #18
    Join Date
    Jul 2012
    Location
    /tropics/islands/statia
    Beans
    275
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: sshd and hosts.allow

    Apparently sending inetd a SIGHUP and restarting sshd is not enough.
    After a reboot it works.

    Leaves me with the question: how should I reread hosts.allow after a change has been made?

  9. #19
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: sshd and hosts.allow

    Quote Originally Posted by Statia View Post
    Apparently sending inetd a SIGHUP and restarting sshd is not enough.
    After a reboot it works.

    Leaves me with the question: how should I reread hosts.allow after a change has been made?
    That sounds like a bug. For many services, SIGHUP is enough.

  10. #20
    Join Date
    Jul 2012
    Location
    /tropics/islands/statia
    Beans
    275
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: sshd and hosts.allow

    Quote Originally Posted by Lars Noodén View Post
    That sounds like a bug.
    That does not surprise me.
    I am a living corollary to Murphy's Law:

    If there is a bug I will encounter it.

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •