HPE Community
Operating System - HP-UX
1832933 Members
2750 Online
110048 Solutions
New Discussion

Re: hosts.allow workaround

 
John Payne_2
Honored Contributor

‎07-30-2001 07:37 AM

‎07-30-2001 07:37 AM

hosts.allow workaround

We are running ssh w/ tcp wrappers. We have some users who want to connect from home really badly using ssh, but they are on dsl lines, and do not have a static ip or a static machine name. Does anyone know a good/easy way to let them in when we are using hosts.allow/hosts.deny in our environment? Thanks
John
Spoon!!!!
0 Kudos
Reply
10 REPLIES 10
Shannon Petry
Honored Contributor

‎07-30-2001 08:16 AM

‎07-30-2001 08:16 AM

Re: hosts.allow workaround

Usually they should be getting IP's on the same Class B or C. If so, just add their class C(preferrably) to the hosts.allow file. As long as you are forcing them to authenticate, then you should be okay with this.

Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
John Payne_2
Honored Contributor

‎07-30-2001 09:01 AM

‎07-30-2001 09:01 AM

Re: hosts.allow workaround

Yes, but we are hoping to not open the hosts.allow to their entire ISP. That is where the concern lies...
Spoon!!!!
0 Kudos
Reply
Chris Calabrese
Valued Contributor

‎07-30-2001 09:19 AM

‎07-30-2001 09:19 AM

Re: hosts.allow workaround

I definitely would not do this given the number of security issues that have popped up in SSH over the years. But, if you are going to do this, use OpenSSH (which has a better track record than other variants) and use only the 2.0 protocol (not 1.0 or 1.5).

A better idea is to use IPsec with strong authentication (X.509 certs with passphrases, for example).
Brainbench MVP for Unix Administration and Internet Security, SANS Review Editor, and Center for Internet Security HP-UX Benchmark project leader
0 Kudos
Reply
John Payne_2
Honored Contributor

‎07-30-2001 02:43 PM

‎07-30-2001 02:43 PM

Re: hosts.allow workaround

This is not our only security tool, just a small piece of it. (Partly to get rid of plaintext passwords, etc.) We also have a heterogenious environment here, and have to use tools that can span across to AIX, Solaris, Linux. (Unfortunately for me...)
Spoon!!!!
0 Kudos
Reply
Bill Thorsteinson
Honored Contributor

‎07-30-2001 05:27 PM

‎07-30-2001 05:27 PM

Re: hosts.allow workaround

You only need to open ssh for their ISP if they truely
don't have effectively static addresses or names.
The ADSL server I work with has a static name.
My home network effectively has a static IP. Doesn't
change unless I change my NIC. It depends on
the ISPs implementation.

Try a hosts.allow entry like
ssh : 24.24. 142.222.221.
using the appropriate subnets.
0 Kudos
Reply
Chris Calabrese
Valued Contributor

‎07-31-2001 05:40 AM

‎07-31-2001 05:40 AM

Re: hosts.allow workaround

Re. ssh vs. ipsec, I agree that ssh definitely has its place. We use it quite extensively here. I just wouldn't use it directly from the Internet. SSH tunneled in IPsec is your best bet. Yes, this is redundant encryption. But the IPsec would likely terminate at a firewall or VPN appliance on the corporate network, so you still need something that covers from there to the end system.
Brainbench MVP for Unix Administration and Internet Security, SANS Review Editor, and Center for Internet Security HP-UX Benchmark project leader
0 Kudos
Reply
Wodisch
Honored Contributor

‎08-04-2001 07:02 AM

‎08-04-2001 07:02 AM

Re: hosts.allow workaround

Hello John,

why don't you tell your users to make use of the tool
"xauth" - that is just what it is good for?

HTH,
Wodisch
0 Kudos
Reply
Dayanand Naik
Frequent Advisor

‎08-08-2001 08:43 PM

‎08-08-2001 08:43 PM

Re: hosts.allow workaround

Hi John Payne,

This is not any answer to your qts, as you have mention that u have configured tcp wrappers on Hp-UX, can you guide me in doing so. As 'm not able to get it working.

when i do it using :
make REAL_DAEMON_DIR=/bkp/tcpw hpux
it throws the following errors :

(Bundled) cc: warning 480: The -O option is available only with the C/ANSI C product; ignored.
/usr/ccs/bin/ld: (Warning) At least one PA 2.0 object file (tcpd.o) was detected. The linked output may not run on a PA 1.x system.
/usr/ccs/bin/ld: Unsatisfied symbols:
yp_get_default_domain (code)
*** Error exit code 1
Stop.
*** Error exit code 1
Stop.

Regards,
Dayanand Naik.
Dayanand Naik
0 Kudos
Reply
John Payne_2
Honored Contributor

‎08-09-2001 07:37 AM

‎08-09-2001 07:37 AM

Re: hosts.allow workaround

Here is the fix:

HP-UX: if you have trouble building TCP Wrapper, and the compilation
fails with: /usr/ccs/bin/ld: Unsatisfied symbols: yp_get_default_domain
(code), edit the Makefile and add -DUSE_GETDOMAIN to the definition
of the BUGS macro.

This is from Wietse's FAQ. I have seen the problem and this fixes the problem and lets you compile.
Spoon!!!!
0 Kudos
Reply
John Payne_2
Honored Contributor

‎08-09-2001 07:40 AM

‎08-09-2001 07:40 AM

Re: hosts.allow workaround

Wodisch, (or anyone else)
Can you elaborate as to how to use xauth? We try not to use CDE or it's buddies here as much as we can..

Thanks

John
Spoon!!!!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.