Bug 232424 - sshd appears to ignore all tcp_wrapper controls - is wide open all the time
Summary: sshd appears to ignore all tcp_wrapper controls - is wide open all the time
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 6
Hardware: i386
OS: Linux
medium
high
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-15 14:12 UTC by John Perkyns
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-03-15 14:52:58 UTC


Attachments (Terms of Use)

Description John Perkyns 2007-03-15 14:12:31 UTC
Description of problem:
sshd appears to totally ignore tcp_wrappers controls.  If I put an empty
/etc/hosts.allow and an /etc/hosts.deny that has ALL: ALL in it, I can still
connect from anywhere.  
This is a fairly vanilla install of fc6 i386 - I just upgraded from fc3 where it
worked as documented.  If there is something new in the setup that I need to do
to activate wrappers in fc6 it appears to be undocumented.  Was sshd compiled
with wrapper support?

The script kiddies have already found this and are ballooning my log files!!

Version-Release number of selected component (if applicable):
openssh-askpass-4.3p2-14.fc6
openssh-server-4.3p2-14.fc6
openssh-4.3p2-14.fc6
openssh-clients-4.3p2-14.fc6
tcp_wrappers-7.6-40.2.1

How reproducible:
All platforms I have running fc6 behave the same.

Steps to Reproduce:
1. Install fc6 with openssh + tcp_wrappers
2. Add hosts.allow/deny rules that have worked for a long time
3. 
  
Actual results:
Access appears to be wide open no matter what access rules are used

Expected results:
Configurable blocking

Additional info:

Comment 1 John Perkyns 2007-03-15 14:52:58 UTC
Problem maybe solved.  Version 10 appears to not work, and the update from
version 10 to version 14 failed due to the over-aggressive file protections on
/usr/bin/ssh and /usr/sbin/sshd in version 10.  Version 14 could not overwrite
old executables, so created new ones with version number appended.

Could the update script be updated to deal with the file attributes in Ver 10? 

Comment 2 John Perkyns 2007-03-15 14:54:59 UTC
Problem maybe solved.  Version 10 appears to not work, and the update from
version 10 to version 14 failed due to the over-aggressive file protections on
/usr/bin/ssh and /usr/sbin/sshd in version 10.  Version 14 could not overwrite
old executables, so created new ones with version number appended.

Could the update script be updated to deal with the file attributes in Ver 10? 


Note You need to log in before you can comment on or make changes to this bug.