Re: tcp-wrappers and sshd
From: joe user (hargreavesjohnr@qwest.net)Date: 01/16/02
- Next message: Little Piggy: "Is it possible to run a SFTP on Windows?"
- Previous message: Alim Manji: "Re: using ssh with LDAP user accounts (not /etc files) ??"
- In reply to: Richard E. Silverman: "Re: tcp-wrappers and sshd"
- Next in thread: Richard E. Silverman: "Re: tcp-wrappers and sshd"
- Reply: Richard E. Silverman: "Re: tcp-wrappers and sshd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: joe user <hargreavesjohnr@qwest.net> Date: Tue, 15 Jan 2002 17:11:37 -0700
Richard E. Silverman wrote:
>>>>>>"joe" == joe user <hargreavesjohnr@qwest.net> writes:
>>>>>>
>
> joe> What had escaped me is that 'in.tftpd' was the program name,
> joe> since under Linux, all in.* daemons (well many) appear to be
> joe> implemented by tcpd.
>
> Not implemented -- wrapped. The syntax you see in inetd.conf has the
> various daemons being started by tcpd, which effects and enforces the
> TCP-wrapper checks (/etc/hosts.{allow,deny}) before invoking the actual
> service program for a particular port.
>
hmm. I tried `find / -name 'in.*'`, looking for those demons. didnt.
also did rpm -ql tcp_wrappers, (first actually) no results there either,
hence my conclusion.
fwiw (and somewhat OT), ive got xinetd, which has;
service chargen
{
type = INTERNAL UNLISTED
id = chargen-dgram
...
}
INTERNAL hints at tcpd doing it (and xinetd knowing about it)
no evidence of explicit wrap, ala;
finger stream tcp nowait nobody /some/where/tcpd in.fingerd
> joe> As I read it, HostbasedAuthentication would not help me, as
> joe> hostname really has to be an official dns-name (reverse
> joe> resolvable).
>
> Some SSH implementations require this, but it is not in principle a
> requirement of trusted-host authentication -- and I don't personally think
> it's a good idea; see:
>
> http://www.snailbook.com/discussion.html#hostbased
>
right. wasnt going there anyway, cuz servers behind NATwall, and client
IP is unpredictable (and unrelated to my goofy/unofficial hostname) when
dialing in. (and cuz im trying to follow your advice already given in
c.s.ssh. :-)
so hostbasedAuth implies SSH1 rather than 2 ?, I thought it might be in
addition to, at least when SSH2 is preferred.
> With OpenSSH, you can set "HostbasedUsesNameFromPacketOnly yes".
but this gains nothing unless youre using hostbased already ?
> joe> Or does hostbasedAuthentication use just /etc/ssh/ssh_host*_key,
> joe> and Rhost* directives control reverse-resolution ?
>
> I don't understand this question.
>
> joe> Or are the ssh_host_*keys used for tunnelling, where there is no
> joe> particular user, just other-host authentication.
>
> Or this one... host keys are used by the client for for server
> authentication (which happens in every SSH connection), and by the server
> as part of user authentication if the hostbased method is employed.
is the server /etc/ssh/ssh_host_*key used in client-authentication in any way
(maybe Diffie-Hellman part), or are client-keys alone sufficient.
hmm, i guess you answered this..(modulo D-H inference)
If one were to set up a tunnel on boot to another computer, it struck me
that use of ssh_host_*key would be used, because there is no 'user'.
So, would this notional tunnel use keys from /root/.ssh/authorized_keys,
or perhaps better?) from some other privileged nologin acct ?
I could imagine that PPP is the preferred way of setting up such a
tunnel, esp if its setup on demand, rather than on boot. I dont have a
ppp user.
thx again.
- Next message: Little Piggy: "Is it possible to run a SFTP on Windows?"
- Previous message: Alim Manji: "Re: using ssh with LDAP user accounts (not /etc files) ??"
- In reply to: Richard E. Silverman: "Re: tcp-wrappers and sshd"
- Next in thread: Richard E. Silverman: "Re: tcp-wrappers and sshd"
- Reply: Richard E. Silverman: "Re: tcp-wrappers and sshd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
