https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558723#M759124 Re. ssh vs. ipsec, I agree that ssh definitely has its place. We use it quite extensively here. I just wouldn't use it directly from the Internet. SSH tunneled in IPsec is your best bet. Yes, this is redundant encryption. But the IPsec would likely terminate at a firewall or VPN appliance on the corporate network, so you still need something that covers from there to the end system. Tue, 31 Jul 2001 12:40:32 GMT Chris Calabrese 2001-07-31T12:40:32Z https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558717#M759118 We are running ssh w/ tcp wrappers. We have some users who want to connect from home really badly using ssh, but they are on dsl lines, and do not have a static ip or a static machine name. Does anyone know a good/easy way to let them in when we are using hosts.allow/hosts.deny in our environment? Thanks<BR />John Mon, 30 Jul 2001 14:37:43 GMT https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558717#M759118 John Payne_2 2001-07-30T14:37:43Z https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558718#M759119 Usually they should be getting IP's on the same Class B or C. If so, just add their class C(preferrably) to the hosts.allow file. As long as you are forcing them to authenticate, then you should be okay with this.<BR /><BR />Regards,<BR />Shannon Mon, 30 Jul 2001 15:16:06 GMT https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558718#M759119 Shannon Petry 2001-07-30T15:16:06Z https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558719#M759120 Yes, but we are hoping to not open the hosts.allow to their entire ISP. That is where the concern lies... Mon, 30 Jul 2001 16:01:13 GMT https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558719#M759120 John Payne_2 2001-07-30T16:01:13Z https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558720#M759121 I definitely would not do this given the number of security issues that have popped up in SSH over the years. But, if you are going to do this, use OpenSSH (which has a better track record than other variants) and use only the 2.0 protocol (not 1.0 or 1.5).<BR /><BR />A better idea is to use IPsec with strong authentication (X.509 certs with passphrases, for example). Mon, 30 Jul 2001 16:19:05 GMT https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558720#M759121 Chris Calabrese 2001-07-30T16:19:05Z https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558721#M759122 This is not our only security tool, just a small piece of it. (Partly to get rid of plaintext passwords, etc.) We also have a heterogenious environment here, and have to use tools that can span across to AIX, Solaris, Linux. (Unfortunately for me...) Mon, 30 Jul 2001 21:43:05 GMT https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558721#M759122 John Payne_2 2001-07-30T21:43:05Z https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558722#M759123 You only need to open ssh for their ISP if they truely <BR />don't have effectively static addresses or names.<BR />The ADSL server I work with has a static name.<BR />My home network effectively has a static IP. Doesn't<BR />change unless I change my NIC. It depends on <BR />the ISPs implementation.<BR /><BR />Try a hosts.allow entry like <BR /> ssh : 24.24. 142.222.221.<BR />using the appropriate subnets. <BR /> Tue, 31 Jul 2001 00:27:52 GMT https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558722#M759123 Bill Thorsteinson 2001-07-31T00:27:52Z https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558723#M759124 Re. ssh vs. ipsec, I agree that ssh definitely has its place. We use it quite extensively here. I just wouldn't use it directly from the Internet. SSH tunneled in IPsec is your best bet. Yes, this is redundant encryption. But the IPsec would likely terminate at a firewall or VPN appliance on the corporate network, so you still need something that covers from there to the end system. Tue, 31 Jul 2001 12:40:32 GMT https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558723#M759124 Chris Calabrese 2001-07-31T12:40:32Z https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558724#M759125 Hello John,<BR /><BR />why don't you tell your users to make use of the tool<BR />"xauth" - that is just what it is good for?<BR /><BR />HTH,<BR /> Wodisch Sat, 04 Aug 2001 14:02:21 GMT https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558724#M759125 Wodisch 2001-08-04T14:02:21Z https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558725#M759126 Hi John Payne,<BR /><BR />This is not any answer to your qts, as you have mention that u have configured tcp wrappers on Hp-UX, can you guide me in doing so. As 'm not able to get it working. <BR /><BR />when i do it using : <BR />make REAL_DAEMON_DIR=/bkp/tcpw hpux<BR />it throws the following errors :<BR /><BR />(Bundled) cc: warning 480: The -O option is available only with the C/ANSI C product; ignored.<BR />/usr/ccs/bin/ld: (Warning) At least one PA 2.0 object file (tcpd.o) was detected. The linked output may not run on a PA 1.x system.<BR />/usr/ccs/bin/ld: Unsatisfied symbols:<BR /> yp_get_default_domain (code)<BR />*** Error exit code 1<BR />Stop.<BR />*** Error exit code 1<BR />Stop.<BR /><BR />Regards,<BR />Dayanand Naik. Thu, 09 Aug 2001 03:43:02 GMT https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558725#M759126 Dayanand Naik 2001-08-09T03:43:02Z https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558726#M759127 Here is the fix:<BR /><BR />HP-UX: if you have trouble building TCP Wrapper, and the compilation<BR />fails with: /usr/ccs/bin/ld: Unsatisfied symbols: yp_get_default_domain<BR />(code), edit the Makefile and add -DUSE_GETDOMAIN to the definition<BR />of the BUGS macro.<BR /><BR />This is from Wietse's FAQ. I have seen the problem and this fixes the problem and lets you compile. Thu, 09 Aug 2001 14:37:38 GMT https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558726#M759127 John Payne_2 2001-08-09T14:37:38Z https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558727#M759128 Wodisch, (or anyone else)<BR /> Can you elaborate as to how to use xauth? We try not to use CDE or it's buddies here as much as we can..<BR /><BR />Thanks<BR /><BR />John Thu, 09 Aug 2001 14:40:13 GMT https://community.hpe.com/t5/operating-system-hp-ux/hosts-allow-workaround/m-p/2558727#M759128 John Payne_2 2001-08-09T14:40:13Z