Ernest Cespedes writes:
> I tried to configure tcp_wrappers/ssh2 to authenticate user log ins based
> on usernames. In the TCP wrappers hosts_access man pages, it states that
> you should be able to use
>
> ssh2 : username@host in the /etc/allow.hosts file
>
> to restrict users from logging in. For example, if I only want a selected
> authorized users to log in to my server, use the above format to allow
> access. This method makes it even more difficult if remote users are using
> their ISP via dial-in to login remotely to the server. Their hostnames and
> IP address are dynamic. Log file shows that the user is always "UNKNOWN"
> and tcp_wrappers rejects the user from logging in.
All the username@host does in the above case is send an IDENT query to the
incoming host to get the username of the person on *that* machine trying to
log into *your* machine. However, the majority of machines out there are
not running an IDENT server, mainly because they are probably a PC or MAC
oriented type machine. Consequently, the username will be filled in with
"UNKNOWN".
A couple other things need to be considered. First, I don't recall if you
have to compile in the IDENT lookup code or not when you first configure the
tcp wrapper before compiling. It has been a long time for me, so I don't
remember. Secondly, the above does limit access even more, but IDENT stuff
can be spoofed as well. Who says that the IDENT server on the other side
has to tell the truth when asked who the user of a particular connection is?
Thirdly, the above is most useful when you specify a host that you *know*
is running an IDENT server and *does* have a specific user logged on. This
probably would be the case for only the hosts in your organization.
Anyways, I don't know what your "host" is. You may very well be running
IDENT servers on your machines and the "host" was one of your organization's
machines... *shrugs* If that is the case, then some other problem exists.
Hope that helps!
Scott
--
+-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-+
Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/
UNIX Systems Engineer mailto:[EMAIL PROTECTED]
ICQ 7626282 Work (740)593-9478 Fax (740)593-1944
+-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-+
CNS, HDL Center, Suite 301, Ohio University, Athens, OH 45701-2979
