Re: tcp-wrappers and sshd

From: joe user (hargreavesjohnr@qwest.net)
Date: 01/16/02


From: joe user <hargreavesjohnr@qwest.net>
Date: Tue, 15 Jan 2002 17:11:37 -0700

Richard E. Silverman wrote:

>>>>>>"joe" == joe user <hargreavesjohnr@qwest.net> writes:
>>>>>>
>
> joe> What had escaped me is that 'in.tftpd' was the program name,
> joe> since under Linux, all in.* daemons (well many) appear to be
> joe> implemented by tcpd.
>
> Not implemented -- wrapped. The syntax you see in inetd.conf has the
> various daemons being started by tcpd, which effects and enforces the
> TCP-wrapper checks (/etc/hosts.{allow,deny}) before invoking the actual
> service program for a particular port.
>

hmm. I tried `find / -name 'in.*'`, looking for those demons. didnt.
also did rpm -ql tcp_wrappers, (first actually) no results there either,
hence my conclusion.

fwiw (and somewhat OT), ive got xinetd, which has;

service chargen
{
        type = INTERNAL UNLISTED
        id = chargen-dgram
        ...
}

INTERNAL hints at tcpd doing it (and xinetd knowing about it)
no evidence of explicit wrap, ala;

finger stream tcp nowait nobody /some/where/tcpd in.fingerd

> joe> As I read it, HostbasedAuthentication would not help me, as
> joe> hostname really has to be an official dns-name (reverse
> joe> resolvable).
>
> Some SSH implementations require this, but it is not in principle a
> requirement of trusted-host authentication -- and I don't personally think
> it's a good idea; see:
>
> http://www.snailbook.com/discussion.html#hostbased
>

right. wasnt going there anyway, cuz servers behind NATwall, and client
IP is unpredictable (and unrelated to my goofy/unofficial hostname) when
dialing in. (and cuz im trying to follow your advice already given in
c.s.ssh. :-)

so hostbasedAuth implies SSH1 rather than 2 ?, I thought it might be in
addition to, at least when SSH2 is preferred.

> With OpenSSH, you can set "HostbasedUsesNameFromPacketOnly yes".

but this gains nothing unless youre using hostbased already ?

> joe> Or does hostbasedAuthentication use just /etc/ssh/ssh_host*_key,
> joe> and Rhost* directives control reverse-resolution ?
>
> I don't understand this question.
>
> joe> Or are the ssh_host_*keys used for tunnelling, where there is no
> joe> particular user, just other-host authentication.
>
> Or this one... host keys are used by the client for for server
> authentication (which happens in every SSH connection), and by the server
> as part of user authentication if the hostbased method is employed.

is the server /etc/ssh/ssh_host_*key used in client-authentication in any way
(maybe Diffie-Hellman part), or are client-keys alone sufficient.
hmm, i guess you answered this..(modulo D-H inference)

If one were to set up a tunnel on boot to another computer, it struck me
that use of ssh_host_*key would be used, because there is no 'user'.

So, would this notional tunnel use keys from /root/.ssh/authorized_keys,
or perhaps better?) from some other privileged nologin acct ?

I could imagine that PPP is the preferred way of setting up such a
tunnel, esp if its setup on demand, rather than on boot. I dont have a
ppp user.

thx again.



Relevant Pages

  • Re: Authorization problem
    ... The auditing don't show nothing also. ... > Are you certain that the client is being authenticated with Windows ... > Joe K. ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Authorization problem
    ... The auditing don't show nothing also. ... > Are you certain that the client is being authenticated with Windows ... > Joe K. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Authorization problem
    ... The auditing don't show nothing also. ... > Are you certain that the client is being authenticated with Windows ... > Joe K. ...
    (microsoft.public.dotnet.security)
  • Re: Authorization problem
    ... The auditing don't show nothing also. ... > Are you certain that the client is being authenticated with Windows ... > Joe K. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Authorization problem
    ... The auditing don't show nothing also. ... > Are you certain that the client is being authenticated with Windows ... > Joe K. ...
    (microsoft.public.dotnet.framework.aspnet.webservices)