[TriLUG] Limit ssh access

Paul D. Boyle boyle at laue.chem.ncsu.edu
Tue Jan 22 12:57:45 EST 2002


> I'm seeing a lot of conflicting tips on the net on how to limit who
> can ssh into my linux ( RH 7.2 ) box.  Maybe it's my general level of
> inexperience, but there doesn't seem t/b a consensus on this.  I've
> read that I should use tcp_wrapper, and that I cannot use tcp_wrapper
> ( I start sshd through a rc.d script, not from inetd/xinetd ).

I always build my ssh/sshd binaries from the source.  In the configuration
step I always specify '--with-libwrap' (or whatever it is called).  This
makes sshd always consult /etc/hosts.{deny,allow} before allowing
a connection.  I would expect that the major distro producers enable
this in their build.  You could unpack the source for the package
(e.g. src.rpm under Redhat), and see if it has been enabled.

I think ssh/sshd has been modified to use PAM, so you could probably
set up a /etc/pam.d/sshd config file.  I have never understood PAM
configuration (despite reading the docs), so I can't help you with
that part.

> I would greatly appreciate a recommendation from one of the seasoned
> professionals on this list.
> 
> Does tcp_wrapper only work w/ daemons started w/in the inetd/xinetd
> framework, or will it work w/ other tcp services started from
> /etc/rc.d/init.d/ ??

No, see above.  tcpd provides a general library (libwrap) which provides
access control for any suitably hacked network service.  See the
hosts_access man page in section 3 (not section 5) of the man pages.

Good Luck,

Paul


-- 
Paul D. Boyle			    |	boyle at laue.chem.ncsu.edu
Director, X-ray Structural Facility |	phone: (919) 515-7362
Department of Chemistry - Box 8204  |	FAX:   (919) 515-5079
North Carolina State University     | 
Raleigh, NC, 27695-8204
http://laue.chem.ncsu.edu/web/xray.welcome.html



More information about the TriLUG mailing list