Hi,
I tried this (debugging) and got connection closed, which indicates that things
were set up properly. The behavior was still strange though. For instance I was still
getting
"Connection lost on output." after ssh'ing from an allowed host. The entries
in /etc/services and /etc/inetd.conf were correct, as were /etc/hosts.allow
and /etc/hosts.deny.
Before, I was running sshd as a static daemon, meaning no inetd, and I had compiled it
with libwrap. So there was no problem there. I wanted to utilize a particular
feature of the tcp wrappers with sshd, but this utilization was actually
redundant--I wanted additional logging and notification for hosts that were
denied access. I adopted Carl's suggestion for additional logging and it seems
to be working nicely.
It's clearly not meant to be run from inetd, as Gregor pointed out the
performance hit is significant, plus things didn't go well when I tried.
Anyway, it works great as a static daemon and does everything it's supposed to.
I came upon a copy of Anne Carasik's book since yesterday and have gained quite
a lot from it.
Thanks very much,
Chris
>
> If you want to run it via inetd and tcpd, make sure that the entry in
> /etc/hosts.allow has a service name that matches the name of the binary
> you execute. In this case, since you execute "sshd", the hosts.allow entry
> should be something like:
> sshd: 192.168.1.*
>
> Use tcpdmatch to check your hosts.allow/deny settings:
> tcpdmatch sshd 192.168.1.1
> tcpdmatch sshd 10.0.0.10
>
> Also, try "telnet localhost 22"
> A "connection refused" means nothing's listening on port 22. A "connection
> closed" would indicate that the tcpd is doing its thing. A "SSH-2.0.13"
> banner would indicate that the tcpd is letting you in but that sshd is
> flaking out.
>
>
> The real solution, though, is to not use inetd at all because of the
> performance loss. On our systems (SPARC 5 running Solaris) it takes 30
> seconds for a connection, and under inetd it'd be even slower. Try this
> instead:
>
> 1. Remove sshd from inetd.conf and HUP inetd.
> Make sure that port 22 is free: "telnet localhost 22" should
> give a "connection refused"
> 2. Get and unpack sshd-2.0.13 again
> 3. "configure --with-libwrap=DIR"
> where DIR is the directory that contains libwrap.a
> You *did* save libwrap.a when you compiled tcpd, didn't you?
> 4. Start up sshd
> 5. Create a hosts.allow and hosts.deny file, and make sure that
> the service name matches the binary name, as above. If you run
> "/usr/local/sbin/sshd2" then the service name must be "sshd2"
>
> --
> Gregor Mosheh
> [EMAIL PROTECTED]
> Systems Admin, Humboldt Internet
> 707.825.4638
>
>
> On Tue, 9 Nov 1999, Christopher Dingle wrote:
>
> >
> > Hi,
> >
> > I think that the solution to my problem may be to run ssh from inetd.
> >
> > I added the following to /etc/inetd.conf:
> > ssh stream tcp nowait root /usr/etc/tcpd /usr/local/sbin/sshd -i
> >
> > and I added a line to /etc/services for ssh on port 22:
> > ssh 22/tcp secure
> >
> > However, when I attempt connections I get:
> >
> > "Connection lost on output." or some such.
> >
> > Am I forgetting something and/or doing something silly? I have a feeling that the
>problem
> > may have to do with the /usr/etc/tcpd part of the line. Any ideas?
> >
> > Thanks,
> > Chris
> >
> > -----------------------------------------------
> > Christopher Dingle * [EMAIL PROTECTED]
> > Systems Administrator - High Energy Astrophysics Division
> > Harvard-Smithsonian Center for Astrophysics
> > 60 Garden St. , Cambridge MA 02138
> > -----------------------------------------------
> >
> >
>
