sshd doesnt work with tcp wrapper(xinetd)...

seagley · 12-20-2005, 10:04 PM

Funny that I used to make it work several years ago on Debian(inet) + sshd + tcp wrapper.

Now I'm on Redhat 9.0, and the /etc/xinetd.d/sshd file looks like this:

service ssh
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/sshd
server_args = i
log_on_failure += USERID
disable = no
}

I know that "server_args = i" is VERY important to make it work in daemon mode, then I restart the xinetd service ---it recognizes the sshd service then listens on port 22. but it goes failed everytime when I try to establish a ssh connection,the log says the xinetd fails to bind the 22 port to address 0.0.0.0. (I also tried to change the ListenAddress to the host fixed IP, as well as disable the IPv6 feature -- failed again..and I'm SURE there is no other process occupies the 22 port at that time).

Then I try execute "sshd -i -d" , and get the error in syslog:

Quote:

Dec 21 11:40:39 pluto sshd[1938]: Received signal 15; terminating.
Dec 21 11:40:53 pluto sshd[9302]: debug1: inetd sockets after dupping: 5, 6
Dec 21 11:40:53 pluto sshd[9302]: error: setsockopt SO_KEEPALIVE: Socket operation on non-socket
Dec 21 11:40:53 pluto sshd[9302]: warning: can't get client address: Socket operation on non-socket
Dec 21 11:40:53 pluto sshd[9302]: Connection from UNKNOWN port 65535
Dec 21 11:40:54 pluto sshd[9302]: Bad protocol version identification '' from UNKNOWN

Any idea? btw, the SSHD works perfectly in stand-alone mode, I just need the tcp wrapper feature for protecting my system(s). And sorry I'm kinda lazy to re-compile the sshd with "tcp wrapper" enables.

Thanks in advance.

stickman · 12-21-2005, 08:23 AM

Most distributions typically compile OpenSSH with support for libwrap so there is no need to launch the daemon via inetd/xinetd. Try experimenting with your hosts.allow and hosts.deny files to verify. You may also want to consider using iptables rules to filter connections.

seagley · 12-21-2005, 09:05 PM

Hi Stickman,

Thank you for the suggestion, I heard about the similar OpenSSH & Xinetd problem before, and I also tried hosts.deny & hosts.allow way --- weird the blocking doesnt work at all. So that I think it maybe the embeded sshd(Redhat 9) problem.

Ok, I will try to download a new version of OpenSSH and re-compile it for my redhat 9 system.

seagley · 12-21-2005, 09:18 PM

Btw....I have setup the Iptables on the redhat boxes, but what I wanna achieve is the TCP wrapper feature of "access_time".

Any suggestion about establishing access_time via iptables will be appreciated.

P.s,I can make a crontab job to start/kill sshd pid in expected time, but I think it would be better if I can make iptables do the same thing :-P

stickman · 12-24-2005, 09:05 PM

What do you have in your hosts.allow and hosts.deny files? Typically the best configuraton is too allow only a small set of client in your hosts.allow and deny ALL in your hosts.deny.