Ssh – openssh removed support for tcp_wrappers – now what? No hosts.allow for ssh access any more

ssh

I built openssh 7.5p1 on a CentOS 7.3 system, after removing the originally installed package openssh which is (currently) 6.6.1p1.

All seemed good until I found out that openssh removed support for the tcp_wrappers/libwrap at version 6.7.

I guess this would mean that my old / trusted ACL via /etc/hosts.allow and /hosts/deny is now useless? (I have no way to test at this moment, unless using a spoofing tool).

If this holds true, what would be a replacement for this until now so convenient and easy way to control access for a public ssh server?

Best Answer

I built openssh 7.5p1 on a CentOS 7.3 system, after removing the originally installed package openssh which is (currently) 6.6.1p1.

The current OpenSSH is 7.4 in RHEL 7.4. If it is not yet in CentOS, just wait some more days.

All seemed good until I found out that openssh removed support for the tcp_wrappers/libwrap at version 6.7.

You can build OpenSSH with the support for tcp_wrappers if you wish. There is a patch that adds a support for that:

http://lists.mindrot.org/pipermail/openssh-unix-dev/2017-July/036131.html

I guess this would mean that my old / trusted ACL via /etc/hosts.allow and /hosts/deny is now useless? (I have no way to test at this moment, unless using a spoofing tool).

Or you can use tcpd to start your sshd and do the filtering with instanced sshd service as described in the following mail:

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/UOAUI4TC6PQVHRJ2ONQ2N3IKHR4577VH/

If this holds true, what would be a replacement for this until now so convenient and easy way to control access for a public ssh server?

Yes, it is true, but for reasonable filtering, you should use firewall. The tcp_wrappers were a thing 20 years ago, when there were quite much no firewalls in linux (and unix).

Related Topic