Scott, Thanks for the info, but I tweaked with every possible combination to "get username" working and just can't get it to work. All clients and servers are UltraSparcs running Solaris 2.7 which should comply with RFC931 (IDENT)function. Here are some relevant parameters in my Makefile: ############################ ## Begin configuration options # # Uncomment the following definition if the wrappers should always # attempt to get the remote user name. If this is not enabled you can # still do selective username lookups as documented in the hosts_access.5 # and hosts_options.5 manual pages (`nroff -man' format). # AUTH = -DALWAYS_RFC931 # ACCESS = -DHOSTS_ACCESS #PARANOID= -DPARANOID # In order to perform selective hostname lookups, disable paranoid # mode (see previous section) and comment out the following definition. #HOSTNAME= -DALWAYS_HOSTNAME ## End configuration options ############################ If I were to expand the access control using "%d-%h-%u", %u to display username from the client, I always get "UNKNOWN", which tells me that username is not being resolved. However, %d (daemon process), and %h (hostname) are okay. Regards, -ernest Scott Adkins wrote: > Ernest Cespedes writes: > > I tried to configure tcp_wrappers/ssh2 to authenticate user log ins based > > on usernames. In the TCP wrappers hosts_access man pages, it states that > > you should be able to use > > > > ssh2 : username@host in the /etc/allow.hosts file > > > > to restrict users from logging in. For example, if I only want a selected > > authorized users to log in to my server, use the above format to allow > > access. This method makes it even more difficult if remote users are using > > their ISP via dial-in to login remotely to the server. Their hostnames and > > IP address are dynamic. Log file shows that the user is always "UNKNOWN" > > and tcp_wrappers rejects the user from logging in. > > All the username@host does in the above case is send an IDENT query to the > incoming host to get the username of the person on *that* machine trying to > log into *your* machine. However, the majority of machines out there are > not running an IDENT server, mainly because they are probably a PC or MAC > oriented type machine. Consequently, the username will be filled in with > "UNKNOWN". > > A couple other things need to be considered. First, I don't recall if you > have to compile in the IDENT lookup code or not when you first configure the > tcp wrapper before compiling. It has been a long time for me, so I don't > remember. Secondly, the above does limit access even more, but IDENT stuff > can be spoofed as well. Who says that the IDENT server on the other side > has to tell the truth when asked who the user of a particular connection is? > Thirdly, the above is most useful when you specify a host that you *know* > is running an IDENT server and *does* have a specific user logged on. This > probably would be the case for only the hosts in your organization. > > Anyways, I don't know what your "host" is. You may very well be running > IDENT servers on your machines and the "host" was one of your organization's > machines... *shrugs* If that is the case, then some other problem exists. > > Hope that helps! > Scott > -- > +-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-+ > Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ > UNIX Systems Engineer mailto:[EMAIL PROTECTED] > ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 > +-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-+ > CNS, HDL Center, Suite 301, Ohio University, Athens, OH 45701-2979
