How to permit selective SSH access?

Tim Haynes wrote:
> Gary Petersen <garyp1492.giggly+news@wiggly.earthlink.above.ne t> writes:
>
>
>>On Thu, 03 Jun 2004 04:52:07 -0500, Gerard created an award-winning crop
>>circle <pqwdme8k5goo.1o43c2qqn2eg7$.dlg@40tude.net>, which when translated
>>into English means this:
>>
>>
>>>[...]
>>>There's a set of files, called hosts.allow and hosts.deny in the /etc
>>>directory that govern access from the outside world to services on your
>>>server.
>>>[...]
>>
>>I thought that /etc/hosts.allow and /etc/hosts.deny are only used
>>by /usr/sbin/tcpd.
>>
>>Unless sshd is started by tcpd, those hosts files probably don't matter.
>
>
> No. They're used by libwrap, which tends to be linked directly into daemons
> these days at configure-time, while I remember tcpd as more of an inetd
> thing.
>
> Oh, and portmapper uses them too.

I wonder if this is a distro thing or just terminology. The
hosts.deny on my RH9 system has comments to the effect:
# hosts.deny This file describes the names of the hosts
which are
# *not* allowed to use the local INET
services, as decided
# by the '/usr/sbin/tcpd' server.
#

I certainly don't know enough to know if that means
something different from what Tim is saying or not,
just posting to perhaps learn ;-).

jmh

jmh <j_m_h@cox.net> writes:

[snip]
>>>Unless sshd is started by tcpd, those hosts files probably don't matter.
>> No. They're used by libwrap, which tends to be linked directly into
>> daemons these days at configure-time, while I remember tcpd as more of
>> an inetd thing. Oh, and portmapper uses them too.
>
> I wonder if this is a distro thing or just terminology. The
> hosts.deny on my RH9 system has comments to the effect:
> # hosts.deny This file describes the names of the hosts which are
> # *not* allowed to use the local INET services, as decided
> # by the '/usr/sbin/tcpd' server.
> #
>
> I certainly don't know enough to know if that means something different
> from what Tim is saying or not,
> just posting to perhaps learn ;-).

Well, sshd can be started with or without assistance from (x)inetd. If you
use it on its own, as most people do, its use of hosts.{allow,deny} depends
on whether it was built -lwrap or not.
If you start it from inetd, you could have tcpd do the check for you.
If you start it from xinetd, then xinetd itself could restrict the IP#s, and/or
it could rely on hosts.{allow,deny}.
In all cases, sshd could use extra restrictions in sshd_config itself as well.

~Tim
--
I still hear the snares in the square |piglet@stirfried.vegetable.org.uk
Colours ablaze in the evening |http://pig.sty.nu/Pictures/

Folks,

I have tried reading the 'man' page on ssh and attempted to configure

/etc/ssh/hosts.equiv
..shosts

to only permit access to the server from a select number of IP addresses
however it doesn't work (meaning access is permitted from all IP
addresses regardless of origin).

I just placed the IP addresses in the above files - Can someone provide
me with some examples or suggest where I am going wrong?

Please reply via the newsgroup so all can learn,

Thanks in advance,
Randell D.

On 3 Jun 2004 17:51:46 GMT, a posting issued forth from Jem Berkes...
>> to only permit access to the server from a select number of IP addresses
>> however it doesn't work (meaning access is permitted from all IP
>> addresses regardless of origin).
>
> OpenSSH doesn't use tcp wrappers as it is a standalone server (in the
> normal installation). It's best to do this using Linux 2.4's netfilter,
> which you can access using iptables. Then you can be sure the selective
> access will work no matter what happens within the SSH server software.
>
> iptables -A INPUT -i eth0 -p tcp --dport 22 -s 1.2.3.4 -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --dport 22 -s 4.3.2.1 -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP
>

The OpenSSH on Fedora Core 2 does:

# ldd `which sshd`
linux-gate.so.1 => (0x00b99000)
libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00607000)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
libpam.so.0 => /lib/libpam.so.0 (0x00111000)
libdl.so.2 => /lib/libdl.so.2 (0x0059b000)
libresolv.so.2 => /lib/libresolv.so.2 (0x00715000)
libutil.so.1 => /lib/libutil.so.1 (0x00119000)
libz.so.1 => /usr/lib/libz.so.1 (0x006fa000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00766000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x007d6000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00e81000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x0059f000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x005cc000)
libc.so.6 => /lib/tls/libc.so.6 (0x008d8000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00142000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x0011d000)

HAND
Jacob

> to only permit access to the server from a select number of IP addresses
> however it doesn't work (meaning access is permitted from all IP
> addresses regardless of origin).

OpenSSH doesn't use tcp wrappers as it is a standalone server (in the
normal installation). It's best to do this using Linux 2.4's netfilter,
which you can access using iptables. Then you can be sure the selective
access will work no matter what happens within the SSH server software.

iptables -A INPUT -i eth0 -p tcp --dport 22 -s 1.2.3.4 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -s 4.3.2.1 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP

--
Jem Berkes
http://www.sysdesign.ca/

In comp.os.linux.networking Jem Berkes <jb@users.pc9.org> wrote:

> OpenSSH doesn't use tcp wrappers as it is a standalone server (in the
> normal installation).

Every installation I've ever used does. (Slackware, Debian)

Although it is true that the ./configure script doesn't use it by
default when you compile from source.

--
Cameron Kerr
cameron.kerr@paradise.net.nz : http://nzgeeks.org/cameron/
Empowered by Perl!

Jean-David Beyer wrote:

> Reply-Via-Newsgroup Thanks wrote:
>
>>
>> Folks,
>>
>> I have tried reading the 'man' page on ssh and attempted to configure
>>
>> /etc/ssh/hosts.equiv
>> .shosts
>>
>> to only permit access to the server from a select number of IP
>> addresses however it doesn't work (meaning access is permitted from
>> all IP addresses regardless of origin).
>>
>> I just placed the IP addresses in the above files - Can someone
>> provide me with some examples or suggest where I am going wrong?
>>
>> Please reply via the newsgroup so all can learn,
>>
>> Thanks in advance,
>> Randell D.
>
>
> I do it with iptables.
>
> I have iptables set up to deny access from anyone to anything.
>
> Then I selectively allow those IP addresses I care about to connect to
> those ports I want.
>
> So for ssh, I have entries like:
>
> # For sshd daemon.
> for sip in $[list of good guys for ssh]; do
> $IPT -A IN_FIREWALL -p tcp -m state --state NEW \
> -s $sip --dport ssh -j ACCEPT
> done
>
>

Yep - I like this too - I'll play on my devbox first before trying it on
one of our remote boxes...

Much appreciated... though since our servers sit behind a secondary
(hardware based) firewall, I don't have iptables enabled and had hoped
instead to depend on ssh configuration on an out of the box ret hat 9
installation...

I'll play with both, but I have to admit, I do like the iptables example
you have above...

Can I just confirm, $IPT is the full path name to iptables, true?

cheers
randelld

>> OpenSSH doesn't use tcp wrappers as it is a standalone server (in the
>> normal installation).
>
> Every installation I've ever used does. (Slackware, Debian)
>
> Although it is true that the ./configure script doesn't use it by
> default when you compile from source.

Yeah, sorry I'm a bit weird with my compile-from-source fixation :)

Anyway, I think it's safer overall to use firewall rules. It's a more
reliable layer for filtering.

--
Jem Berkes
http://www.sysdesign.ca/

On Thu, 03 Jun 2004 10:00:48 -0700, Reply-Via-Newsgroup
Thanks <newsgroup@fiproject-com.com> wrote:
>
> only permit access to the server from a select number of IP addresses

Forgive the self-promotion, but I do actually think it's relevant...

I wanted to be able to access my computers via SSH from anywhere on the
net, but didn't want to leave SSH open to the world. So I wrote a program
called "Ostiary" that does a challenge-response authentication, then opens
up SSH selectively. Of course, other commands can be initiated remotely as
well; for some limited purposes it can even replace SSH.

The important part is that the protocol is so simple that a buffer
overflow or other attack is basically not possible, plus it runs easily
on just about anything (the client runs on, among other things, a 16MHz
Palm, and my server is a 16MHz 68030 Macintosh).

More information is available at:

http://ingles.homeunix.org/software/ost/

--
Sincerely,

Ray Ingles sorceror171@hotmail.com

"These modern kids don't know the simple joy of saving four bytes of
page-0 memory on a 6502 box." - isomeme

Jem Berkes <jb@users.pc9.org> writes:

>>> OpenSSH doesn't use tcp wrappers as it is a standalone server (in the
>>> normal installation).
>>
>> Every installation I've ever used does. (Slackware, Debian)
>>
>> Although it is true that the ./configure script doesn't use it by
>> default when you compile from source.
>
> Yeah, sorry I'm a bit weird with my compile-from-source fixation :)
>
> Anyway, I think it's safer overall to use firewall rules. It's a more
> reliable layer for filtering.

Yes, doing it at the firewall end of things is good - I'm always worried
about letting a bad packet hit user-space when it needn't. For one, if
there's a lot of packets coming in, why should a process have to handle
them all (maybe fork()ing between-times) only to reject them? For seconds,
if it's a bad packet designed to exploit a buffer-overrun or something, do
I trust the bits of the user-space process that deal with tcp-wrappers not
to be susceptible?

~Tim
--
Statistically, most thieves steal |piglet@stirfried.vegetable.org.uk
from other poor people. Robin Hood stole |http://pig.sty.nu/about.html
only from the rich and was a hero. |
(from <http://www.thegamesjournal.com/>) |