[TriLUG] Getting SSH to work at MSEC level 4 in Mandrake

Mon May 3 11:41:47 EDT 2004

Jon Carnes wrote:

>I just spent close to an hour re-figuring out how to let ssh login to a
>new Mandrake 10 server using MSEC 4 (security level = higher).
>
>After opening up the firewall for SSH access, I had to edit the file:
> /etc/hosts.allow
>    sshd: ALL
>
>I didn't find that in the first 10 hits on goggle so I thought I would
>put it out here for other folks (like me) to find.
>
>Jon Carnes
>
>  
>
I had difficulty with almost this problem not long ago.  My problem was 
slightly different, but related.  Tanner saved me the many hours of 
searching I'm sure it would have entailed to find the right solution.  
:)  A friend of mine had installed Mandrake on his computer, and 
inadvertently chosen MSEC 4 during the install ("it seemed like the 
right thing, after all, more security is better, right?").  When he 
couldn't make anything work I got called in to figure out what was going on.

For future reference, and those not intimately familiar with Mandrake, 
there is a daemon which runs periodically that resets certain 
security-related parameters.  I discovered quickly that SSH was running 
through inetd and locked down by TCP wrappers -- but my instinct was to 
open things up more completely -- the user running this system didn't 
need hosts.deny to contain ALL:ALL, so I commented that to open up the 
very few services that inetd was offering.  Unfortunately, an hour or so 
later things broke again, because the configuration was reset by the 
msec(?) security daemon.  Jon's change of sshd: ALL to hosts.allow is 
the "Mandrake Happy" way of effecting the same change.  Note that you 
can also tone down this setting through the GUI under Security, but I 
haven't seen the interface myself so I will spare you my failed attempts 
at description.

I find it unfortunate that the installer presents security related 
options with out dire warnings about the compatibility and feature 
trade-offs associated with each "Security Level".  Unfortunately, new 
users are often lulled into thinking "Sure, I want more security" so 
they choose a setting that is unfortunately higher than their ability to 
competently run.  The net result often being that they are turned off by 
"this linux thing" and give up, going back to their comfortable Windows 
world.  I'm not suggesting that these security related enhacements are 
in any way bad, but the installer should emphasise the inherent security 
of the lower levels compared to other OSes, and the potential pitfalls 
associated with the higher level of security.  I imagine the information 
is buried in the documentation, and perhaps there is a link to that 
documentation on that page - not having completely installed Mandrake 
before myself, I just don't know.  But regardless of the level of 
information present, it appears to me that it's not enough.  :)

Aaron S. Joyner