模板
教程
环境
性能
功能
管理
configure TCP Wrappers in Solaris 9
发表于:2007-07-01来源:作者:点击数:
标签:
Q. How do I configure TCP Wrappers in Solaris 9 OE? A. Within Solaris 9 OE, TCP Wrappers (or libwrap in Solaris) are pre-compiled into secure shell (/usr/bin/sshd). Thus to use libwrap explicitly with Solaris Secure Shell, simply create eit
Q. How do I configure TCP Wrappers in Solaris 9 OE? A. Within Solaris 9 OE, TCP Wrappers (or libwrap in Solaris) are pre-compiled into secure shell (/usr/bin/sshd). Thus to use libwrap explicitly with Solaris Secure Shell, simply create either /etc/hosts.allow or /etc/hosts.deny and edit aclearcase/" target="_blank" >ccordingly. Using TCP Wrappers for other services requires additional steps.
For Solaris Secure Shell or TCP services to use TCP Wrappers, simply create either /etc/hosts.allow or /etc/host.deny. Then insert desired entries using the format "<daemon_list> : <client_list> : <shell_command>". The following are some of the possible valid entries :
sshd: all
in.te.netd: ALL
in.ftpd : 192.168.1.2
#in.rlogin : 10.0.0.
By default, only the first entry ("sshd") works since TCP Wrappers are pre-compiled into Solaris Secure Shell. The subsequent TCP service entries will work only after modifying /etc/default/inetd and then running "# kill -HUP <PID_inetd>". Specifically, uncomment the following pre-defined variable and set its value to "YES". Do the following:
#ENABLE_TCP=NO <-- the default entry
ENABLE_TCP=YES <-- the modified entry; change to this
From the command line:
# pgrep inetd
# kill -HUP <PID_inetd>
It is not necessary to restart the secure shell server or -HUP inetd after modifying /etc/hosts.allow or /etc/hosts.deny. Only enabling or disabling entries in /etc/default/inetd requires a -HUP on inetd. Simply edit the applicable file, save and test.
To test, simply attempt a localhost connection using the applicable service. For instance, assume that the entries listed above exist in /etc/hosts.deny and that /etc/default/inetd has been modified to: "ENABLE_TCP=YES". And be sure to set the host@#s domain name and IP address to the values configured in the test box. Then perform the following tests to ensure secure shell and TCP service restrictions are set properly:
Note: For the following, replace @#user@# with a valid UNIX account user name. Replace @#hostname@# with the host name.
# /usr/bin/ssh -l user hostname <-- should fail for everyone
# /usr/bin/telnet -l user hostname <-- should fail for everyone
# /usr/bin/ftp hostname <-- should fail for the specified IP only, not other machines
# /usr/bin/rlogin -l user hostname <-- should succeed for any address since @#in.rlogind@# entry is commented out
Be aware that /etc/hosts.allow is processed prior to /etc/hosts.deny. Thus with the entry "sshd: ALL" in both the /etc/hosts.deny and /etc/hosts.allow, secure shell access will be granted to everyone.
For more information on TCP Wrapper configuration, read /etc/default/inetd and the man pages for hosts_access (# man -s4 hosts_access). To get details on Solaris Secure Shell, refer to Infodoc 50465 and Secure Remote Access with the Solaris[tm] 9 Operating Environment.
