SSH:TDG
SSH: The Secure Shell (The Definitive Guide)
Barrett, Silverman, & Byrnes / O’Reilly
HomeProtocolsReferencesAuthors

SSH Frequently Asked Questions

I'm trying to use TCP wrappers (libwrap), but it doesn't work.

Compile SSH with libwrap (configure --with-libwrap[=path]).

Note that using SSH TCP-wrappers support does not involve using the program tcpd, even if you are starting sshd from inetd. tcpd is a wrapper for programs that don't use libwrap; the SSH code calls the libwrap routines to make the access checks itself.

libwrap is always in use if sshd was compiled with libwrap support; it can't be turned off. This means that you must have a libwrap configuration (/etc/hosts.{allow,deny}) which allows SSH connections in order for sshd to work properly. Missing or empty files are equivalent to no blocks, that is, all connections allowed.

Read the relevant man pages carefully: hosts_access(5) and hosts_options(5). The rules are order-dependent and can be tricky to get right. Start with a simple configuration that works, then extend it a bit at time, testing as you go.

Another gotcha is naming screwups. If you use names instead of addresses in the libwrap control files, then be sure those names correspond to the correct addresses. For example, here's an /etc/hosts file with a common mistake: 

#
# /etc/hosts -- Internet host table
#
127.0.0.1	fred.flintstone.org localhost
192.168.10.1	fred.flintstone.org fred
The mistake is including fred.flintstone.org on the line with the loopback address (127.0.0.1), and worse, making it the first entry. Suppose you have TCP-wrapper rules like this: 
#
# /etc/hosts.allow
#
daemon : localhost : ALLOW
ALL    : ALL       : DENY
This is supposed to limit access to the "daemon" service to connections from the loopback address. But when the checking program looks up the name corresponding to the loopback address, it will get "fred.flintstone.org" instead of "localhost", and the connection will be denied by this configuration.

Here is a sample hosts.allow file: 

#
# /etc/hosts.allow
#
# network access control for programs invoked by tcpd (see inetd.conf) or
# using libwrap.  See hosts_access(5) and hosts_options(5).

# restrict X forwarding access to this host
# (not available in OpenSSH)

sshdfwd-x11 : localhost this.host.net
sshdfwd-x11 : ALL : DENY

# otherwise, allow all connections from my networks or loopback

ALL : 192.168.1.0/255.255.255.0 \
      192.168.2.0/255.255.255.0 \
      localhost

# allow connections to these services from anywhere
# (the names are those of the running daemons; that is, their argv[0]
# values)

ipop3d sshd1 sshd2 sshd : ALL

# allow remote access to port 2001 from host remote.domain.net, when
# forwarded by SSH with -g (not available in OpenSSH)

sshdfwd-2001 : remote.domain.net

# deny everything else

ALL : ALL : DENY