Red Hat Bugzilla – Bug 232424
sshd appears to ignore all tcp_wrapper controls - is wide open all the time
Last modified: 2007-11-30 17:11:59 EST
Description of problem:
sshd appears to totally ignore tcp_wrappers controls. If I put an empty
/etc/hosts.allow and an /etc/hosts.deny that has ALL: ALL in it, I can still
connect from anywhere.
This is a fairly vanilla install of fc6 i386 - I just upgraded from fc3 where it
worked as documented. If there is something new in the setup that I need to do
to activate wrappers in fc6 it appears to be undocumented. Was sshd compiled
with wrapper support?
The script kiddies have already found this and are ballooning my log files!!
Version-Release number of selected component (if applicable):
All platforms I have running fc6 behave the same.
Steps to Reproduce:
1. Install fc6 with openssh + tcp_wrappers
2. Add hosts.allow/deny rules that have worked for a long time
Access appears to be wide open no matter what access rules are used
Problem maybe solved. Version 10 appears to not work, and the update from
version 10 to version 14 failed due to the over-aggressive file protections on
/usr/bin/ssh and /usr/sbin/sshd in version 10. Version 14 could not overwrite
old executables, so created new ones with version number appended.
Could the update script be updated to deal with the file attributes in Ver 10?