HPE Community
Operating System - HP-UX
1820483 Members
2235 Online
109624 Solutions
New Discussion юеВ

SSH & hosts.allow

 
SOLVED
Go to solution
Tim O'Connell
Regular Advisor

тАО11-22-2007 04:15 AM

тАО11-22-2007 04:15 AM

SSH & hosts.allow

HI All,

I now have ssh working on my test server (thanks Matti). I want to try and restrict access to certain PC names if possible. I can restrict access to the IP address of my PC by putting an entry sshd:11.22.333.44 in hosts.allow. However, if I change this address to the fully qualified domain name of my pc I am denied access. I can ping the fully qualified domain name of my pc successfully. Is it possible to do this with hosts.allow/hosts.deny?

Thanks,

Tim
0 Kudos
3 REPLIES 3
Steven E. Protter
Exalted Contributor

тАО11-22-2007 04:38 AM

тАО11-22-2007 04:38 AM

Solution

Re: SSH & hosts.allow

Shalom Tim,

Not that I know of, though a similar device exists in the sshd_config file, it is worth a look.

Generally people use trp_wrappers, free from http://software.hp.com to handle these issues.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Matti_Kurkela
Honored Contributor

тАО11-22-2007 07:27 PM

тАО11-22-2007 07:27 PM

Re: SSH & hosts.allow

(SEP: HP-provided SSH uses libwrap, i.e. the same code as in the tcpwrapper utility. Because sshd needs to generate session keys at startup, it is not efficient to make ssh start from inetd.)

Sounds like your DNS service might not have a valid reverse lookup record (PTR record) for your PC. It's not very intuitive, but for DNS, "what's the IP address for this name" and "what's the name of this IP address" are completely unrelated pieces of data, even if they refer to the same name/address pair.

On your test server: run "nslookup name.of.your.pc", then run "nslookup ip.address.of.your.pc". Both should report essentially the same answer. However, I'm guessing you'll be getting something unexpected from the latter query.

When you ping your PC using the FQDN, the ping command needs to find the IP address before it can start sending the pings: this is the "standard" DNS lookup.

When ssh receives a connection, it only knows the source IP address from the packet headers. As the hosts.allow rule might be very complex, it is not efficient to make standard DNS lookups to every hostname listed in the hosts.allow lines. Instead, the libwrap code makes a reverse DNS lookup for the IP address. If the reverse lookup data in the DNS server is up to date, the reverse lookup produces a fully-qualified hostname of the client (your pc, in this case). If this name matches one of the hostnames listed in hosts.allow line, you are granted access.

Unfortunately, forgetting to update the reverse DNS information is one of the most common DNS administration mistakes.

MK
MK
0 Kudos
Tim O'Connell
Regular Advisor

тАО11-25-2007 08:20 PM

тАО11-25-2007 08:20 PM

Re: SSH & hosts.allow

Thanks for the replies. Points assigned

Tim
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.