Description of problem: Following deprecation of tcp_wrappers (libwrap) in services, tcpd needs to be manually configured in systemd... it doesn't work. Well the following doesn't work: https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers#:~:text=Fedora%2028%20removes%20support%20for,rules%20for%20more%20complex%20filtering. We get a bunch of errors like this: Dec 3 21:53:08 zappa tcpd[6580]: getpeername: Socket operation on non-socket Dec 3 21:53:16 zappa tcpd[6597]: warning: can't get client address: Socket operation on non-socket Dec 3 21:53:16 zappa tcpd[6597]: getpeername: Socket operation on non-socket Dec 3 21:54:03 zappa tcpd[6670]: warning: can't get client address: Socket operation on non-socket Dec 3 21:54:03 zappa tcpd[6670]: getpeername: Socket operation on non-socket Dec 3 21:54:50 zappa tcpd[6743]: warning: can't get client address: Socket operation on non-socket Dec 3 21:54:50 zappa tcpd[6743]: getpeername: Socket operation on non-socket Dec 3 21:55:38 zappa tcpd[6992]: warning: can't get client address: Socket operation on non-socket Dec 3 21:55:38 zappa tcpd[6992]: getpeername: Socket operation on non-socket Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
I'm also very unhappy dropping libwrap support (hit me on EL8), especially because there is no real simple-to-use replacement mechanism for some features, which offers at least some basic protection like: - ACL based on DNS reverse lookup (usually, attackers don't know which domains are whitelisted...) - Script-based accept/deny like "ipfilter.sh" My current "ugly" workaround is using xinetd as relay and reconnect to local running SSH deaemon. This has btw. the advantage that ssh daemon is reachable on 2 ports: - base port, protected by firewalld - add-on-port, protected by libwrap service PB-sshd-tcpd { id = PB-sshd-tcpd socket_type = stream port = **** type = unlisted flags = NAMEINARGS server = /usr/sbin/tcpd server_args = /bin/nc 127.0.0.1 **** protocol = tcp user = nobody group = nobody wait = no instances = *** per_source = ** cps = *** disable = no }
I guess the "*" needs to be replaced by the values we need right ?
(In reply to David Hill from comment #4) > I guess the "*" needs to be replaced by the values we need right ? Yes, instances, per_source, cps can be overtaken from onther examples port = 2222 (example) server_args port usually 22 (in case one has not shifted the default ssh port to something else)
This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle. Changing version to 34.
This message is a reminder that Fedora Linux 34 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '34'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 34 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Documentation in https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers#:~:text=Fedora%2028%20removes%20support%20for,rules%20for%20more%20complex%20filtering is slightly incorrect. Looks like working on F35 using following adjustments: # create directory for override file mkdir /etc/systemd/system/sshd@.service.d/ # create overrride file cat <<'END' >/etc/systemd/system/sshd@.service.d/override.conf [Service] ExecStart= ExecStart=@-/usr/sbin/tcpd /usr/sbin/sshd -i $OPTIONS END # Toggle SELinux to allow tcpd to use SSH port setsebool -p ssh_use_tcpd=1 # systemd reload systemctl daemon-reload # restart of SSH socket systemctl restart sshd.socket # Test cat <<END >>/etc/hosts.deny sshd: 127.0.0.1 [::1] END => ssh localhost should no longer work and logged to /var/log/secure: grep sshd /var/log/secure | grep refused May 13 21:31:02 *** sshd[70569]: refused connect from ::1 (::1) May 13 21:36:31 *** sshd[71326]: refused connect from ::1 (::1) Can one confirm? If yes, I would try to get the Wiki updated.
Even better, checks also whether /usr/sbin/tcpd is installed at all cat <<'END' >/etc/systemd/system/sshd@.service.d/override.conf [Unit] ConditionFileIsExecutable=/usr/sbin/tcpd [Service] ExecStart= ExecStart=@-/usr/sbin/tcpd /usr/sbin/sshd -i $OPTIONS END
Looks like F35 and EL8 using different SSH start options, here a flexible generated: cat <<'END' >/etc/systemd/system/sshd@.service.d/override.conf [Unit] ConditionFileIsExecutable=/usr/sbin/tcpd [Service] ExecStart= END grep '^ExecStart=' /usr/lib/systemd/system/sshd@.service | sed 's#[^\/]*\(.*\)#ExecStart=@-/usr/sbin/tcpd \1#' >>/etc/systemd/system/sshd@.service.d/override.conf also a typo needs to be fixed: setsebool -P ssh_use_tcpd=1
Wiki updated: https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers
This message is a reminder that Fedora Linux 35 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 35 on 2022-12-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '35'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 35 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
close now this bug as documentation was updated some time ago.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days