| Summary: | Following deprecation of tcp_wrappers (libwrap) in services, tcpd needs to be manually configured in systemd... it doesn't work | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Hill <dhill> |
| Component: | tcp_wrappers | Assignee: | Jakub Jelen <jjelen> |
| Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 35 | CC: | jjelen, pb |
| Target Milestone: | --- | Flags: | pb:
needinfo?
(dhill) |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | All | ||
| URL: | https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-12-05 06:37:46 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
David Hill
2020-12-04 03:04:02 UTC
I'm also very unhappy dropping libwrap support (hit me on EL8), especially because there is no real simple-to-use replacement mechanism for some features, which offers at least some basic protection like:
- ACL based on DNS reverse lookup (usually, attackers don't know which domains are whitelisted...)
- Script-based accept/deny like "ipfilter.sh"
My current "ugly" workaround is using xinetd as relay and reconnect to local running SSH deaemon.
This has btw. the advantage that ssh daemon is reachable on 2 ports:
- base port, protected by firewalld
- add-on-port, protected by libwrap
service PB-sshd-tcpd
{
id = PB-sshd-tcpd
socket_type = stream
port = ****
type = unlisted
flags = NAMEINARGS
server = /usr/sbin/tcpd
server_args = /bin/nc 127.0.0.1 ****
protocol = tcp
user = nobody
group = nobody
wait = no
instances = ***
per_source = **
cps = ***
disable = no
}
I guess the "*" needs to be replaced by the values we need right ? (In reply to David Hill from comment #4) > I guess the "*" needs to be replaced by the values we need right ? Yes, instances, per_source, cps can be overtaken from onther examples port = 2222 (example) server_args port usually 22 (in case one has not shifted the default ssh port to something else) This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle. Changing version to 34. This message is a reminder that Fedora Linux 34 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '34'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 34 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed. Documentation in https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers#:~:text=Fedora%2028%20removes%20support%20for,rules%20for%20more%20complex%20filtering is slightly incorrect. Looks like working on F35 using following adjustments: # create directory for override file mkdir /etc/systemd/system/sshd@.service.d/ # create overrride file cat <<'END' >/etc/systemd/system/sshd@.service.d/override.conf [Service] ExecStart= ExecStart=@-/usr/sbin/tcpd /usr/sbin/sshd -i $OPTIONS END # Toggle SELinux to allow tcpd to use SSH port setsebool -p ssh_use_tcpd=1 # systemd reload systemctl daemon-reload # restart of SSH socket systemctl restart sshd.socket # Test cat <<END >>/etc/hosts.deny sshd: 127.0.0.1 [::1] END => ssh localhost should no longer work and logged to /var/log/secure: grep sshd /var/log/secure | grep refused May 13 21:31:02 *** sshd[70569]: refused connect from ::1 (::1) May 13 21:36:31 *** sshd[71326]: refused connect from ::1 (::1) Can one confirm? If yes, I would try to get the Wiki updated. Even better, checks also whether /usr/sbin/tcpd is installed at all cat <<'END' >/etc/systemd/system/sshd@.service.d/override.conf [Unit] ConditionFileIsExecutable=/usr/sbin/tcpd [Service] ExecStart= ExecStart=@-/usr/sbin/tcpd /usr/sbin/sshd -i $OPTIONS END Looks like F35 and EL8 using different SSH start options, here a flexible generated: cat <<'END' >/etc/systemd/system/sshd@.service.d/override.conf [Unit] ConditionFileIsExecutable=/usr/sbin/tcpd [Service] ExecStart= END grep '^ExecStart=' /usr/lib/systemd/system/sshd@.service | sed 's#[^\/]*\(.*\)#ExecStart=@-/usr/sbin/tcpd \1#' >>/etc/systemd/system/sshd@.service.d/override.conf also a typo needs to be fixed: setsebool -P ssh_use_tcpd=1 This message is a reminder that Fedora Linux 35 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 35 on 2022-12-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '35'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 35 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed. close now this bug as documentation was updated some time ago. |