Bug 232424

Summary: sshd appears to ignore all tcp_wrapper controls - is wide open all the time
Product: [Fedora] Fedora Reporter: John Perkyns <jperkyns>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 6   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-03-15 10:52:58 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description John Perkyns 2007-03-15 10:12:31 EDT
Description of problem:
sshd appears to totally ignore tcp_wrappers controls.  If I put an empty
/etc/hosts.allow and an /etc/hosts.deny that has ALL: ALL in it, I can still
connect from anywhere.  
This is a fairly vanilla install of fc6 i386 - I just upgraded from fc3 where it
worked as documented.  If there is something new in the setup that I need to do
to activate wrappers in fc6 it appears to be undocumented.  Was sshd compiled
with wrapper support?

The script kiddies have already found this and are ballooning my log files!!

Version-Release number of selected component (if applicable):
openssh-askpass-4.3p2-14.fc6
openssh-server-4.3p2-14.fc6
openssh-4.3p2-14.fc6
openssh-clients-4.3p2-14.fc6
tcp_wrappers-7.6-40.2.1

How reproducible:
All platforms I have running fc6 behave the same.

Steps to Reproduce:
1. Install fc6 with openssh + tcp_wrappers
2. Add hosts.allow/deny rules that have worked for a long time
3. 
  
Actual results:
Access appears to be wide open no matter what access rules are used

Expected results:
Configurable blocking

Additional info:
Comment 1 John Perkyns 2007-03-15 10:52:58 EDT
Problem maybe solved.  Version 10 appears to not work, and the update from
version 10 to version 14 failed due to the over-aggressive file protections on
/usr/bin/ssh and /usr/sbin/sshd in version 10.  Version 14 could not overwrite
old executables, so created new ones with version number appended.

Could the update script be updated to deal with the file attributes in Ver 10? 
Comment 2 John Perkyns 2007-03-15 10:54:59 EDT
Problem maybe solved.  Version 10 appears to not work, and the update from
version 10 to version 14 failed due to the over-aggressive file protections on
/usr/bin/ssh and /usr/sbin/sshd in version 10.  Version 14 could not overwrite
old executables, so created new ones with version number appended.

Could the update script be updated to deal with the file attributes in Ver 10?