Very Computer

by **Vicki Lonell Hai** » Thu, 04 May 2000 04:00:00

The ongoing saga.
I compiled ssh 2.1.0 with tcp-wrapper on my two AIX 4.2.1 machines,
and without wrapper on my AIX 4.3.2 machine. But when trying to sftp
into my tcp-wrapped machine from a remote machine, it would just hang
most of the time. No problem with the non-wrapped ssh. I couldn't
find much on this -- there was one Debian web page where the guy
described a problem with ssh/tcp-wrapper identical to mine and he had
reported it as a bug. ... I just went ahead and re-compiled without
tcp-wrapper and instead added sshd2 to my inetd.conf,
exec stream tcp nowait root /usr/local/bin/tcpd
sshd2 -i
and updated my hosts.allow with: "sshd2: <IP address> " etc.
This seems to be working just fine except for one (well, a couple
of) thing(s). I had initially included the IP address of my (remote
domain) home machine in the hosts.allow, which I later took out. If a
remote machine (not my home machine) trys to ssh/sftp in, wrapper knocks
them right out. good. But if I try to ssh/sftp from my home machine,
it still lets it in. (!) I've refreshed inetd, "refresh -s inetd",
I've re-started the sshd2 daemon. But it's still letting my home
machine in, when it shouldn't. -Anybody know whether I've overlooked
something?
Another thing is the ssh is *really* slow coming in through inetd.
Do we just have to live with that, or is there anything I can do? It
also doesn't help that this designated sftp machine is only a
1-processor RS/6000.
Thanks a lot for any help, advice or info. Please email

thanks!
--
Vicki Lonell Hain
Systems Programming - AIS
Univ. of NC -Chapel Hill
(919)966-1901

by **Matt Willma** » Fri, 05 May 2000 04:00:00

Look at your syslog for the TCPWrappers message. If you get something that
looks like ::ffff:0.0.0.0 in your log, then you have to apply the IPv6
patches to TCPWrappers for them to work correctly.

Matt

> The ongoing saga.
> I compiled ssh 2.1.0 with tcp-wrapper on my two AIX 4.2.1 machines,
> and without wrapper on my AIX 4.3.2 machine. But when trying to sftp
> into my tcp-wrapped machine from a remote machine, it would just hang
> most of the time. No problem with the non-wrapped ssh. I couldn't
> find much on this -- there was one Debian web page where the guy
> described a problem with ssh/tcp-wrapper identical to mine and he had
> reported it as a bug. ... I just went ahead and re-compiled without
> tcp-wrapper and instead added sshd2 to my inetd.conf,
> exec stream tcp nowait root /usr/local/bin/tcpd
> sshd2 -i
> and updated my hosts.allow with: "sshd2: <IP address> " etc.
> This seems to be working just fine except for one (well, a couple
> of) thing(s). I had initially included the IP address of my (remote
> domain) home machine in the hosts.allow, which I later took out. If a
> remote machine (not my home machine) trys to ssh/sftp in, wrapper knocks
> them right out. good. But if I try to ssh/sftp from my home machine,
> it still lets it in. (!) I've refreshed inetd, "refresh -s inetd",
> I've re-started the sshd2 daemon. But it's still letting my home
> machine in, when it shouldn't. -Anybody know whether I've overlooked
> something?
> Another thing is the ssh is *really* slow coming in through inetd.
> Do we just have to live with that, or is there anything I can do? It
> also doesn't help that this designated sftp machine is only a
> 1-processor RS/6000.
> Thanks a lot for any help, advice or info. Please email

> thanks!
> --
> Vicki Lonell Hain
> Systems Programming - AIS
> Univ. of NC -Chapel Hill
> (919)966-1901

by **H.G.Borrma** » Tue, 09 May 2000 04:00:00

: Look at your syslog for the TCPWrappers message. If you get something that
: looks like ::ffff:0.0.0.0 in your log, then you have to apply the IPv6
: patches to TCPWrappers for them to work correctly.
:

from where can I get these patches? All patches I got up today didn't work.
--
._________________________________________________________________________.
|H.G.Borrmann |Tel.: (0761) 203-4652 |
|Rechenzentrum der Universitaet Freiburg|Fax: (0761) 203-4643 |
|Hermann-Herder-Str. 10 |email: |

|_________________________________________________________________________|

by **Matt Willma** » Wed, 10 May 2000 04:00:00

The site I got them from went belly-up recently for unknown reasons. I know a
guy named Casper in the *sun* groups is posting messages with URL's for them.
Should be simple to find with Deja's help.

Matt

> : Look at your syslog for the TCPWrappers message. If you get something that
> : looks like ::ffff:0.0.0.0 in your log, then you have to apply the IPv6
> : patches to TCPWrappers for them to work correctly.
> :

> from where can I get these patches? All patches I got up today didn't work.
> --
> ._________________________________________________________________________.
> |H.G.Borrmann |Tel.: (0761) 203-4652 |
> |Rechenzentrum der Universitaet Freiburg|Fax: (0761) 203-4643 |
> |Hermann-Herder-Str. 10 |email: |

> |_________________________________________________________________________|

by **Casper H.S. Dik - Network Security Engine** » Wed, 10 May 2000 04:00:00

[[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]

>The site I got them from went belly-up recently for unknown reasons. I know a
>guy named Casper in the *sun* groups is posting messages with URL's for them.
>Should be simple to find with Deja's help.

And I'm happy to post them again:

ftp://playground.sun.com/pub/casper/
ftp://ftp.porcupine.org/pub/ipv6

Same code in both, I think.

Works for Solaris 8 and for the Solaris 7+ipv6 patch (unsupported).

If it works or doesn't under AIX, please let me know, I'd be happy
to incorporate AIX specific changes.

Casper

--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

by **Ken Be** » Thu, 11 May 2000 04:00:00

Quote:> ftp://playground.sun.com/pub/casper/
> ftp://ftp.porcupine.org/pub/ipv6

>Same code in both, I think.

Thank you Casper.

There were a few small changes affecting the files:

README.ipv6
hosts_access.c
tcpd.h
tcpdchk.c

The files on playground.sun.com also have timestamps with date Oct 28,
1999, i.e., one day later than the files at ftp.porcupine.org. I
suppose that "later is better", but don't know. Here are the diffs,
where "playground" is '<' and "porcupine" is '>':

README.ipv6 ...
10a11,15
> The code successfully compiles on Solaris 7 + playground.sun.com IPV6 patch,
> but I have not tested the binary.
>
> The code also compiles on AIX using "-DHAVE_IPV6 -DUSE_GETHOSTBYNAME2"
>
27a33,35
>
> The original tcp_wrappers-7.6 files have been renamed and have a .org
> extension; only this file (README.ipv6) was added.

hosts_access.c ...
30d29
< #include <inet/ip.h>

tcpd.h ...
59a60,63
> #ifndef IPV6_ABITS
> #define IPV6_ABITS 128 /* Size of IPV6 address in bits */
> #endif

tcpdchk.c ...
27d26
< #include <inet/ip.h>

--

by **Ken Be** » Sat, 20 May 2000 04:00:00

Quote:
> ftp://playground.sun.com/pub/casper/
> ftp://ftp.porcupine.org/pub/ipv6

>Same code in both, I think.

>Works for Solaris 8 and for the Solaris 7+ipv6 patch (unsupported).

>If it works or doesn't under AIX, please let me know, I'd be happy
>to incorporate AIX specific changes.

It works under AIX 4.3. Just to get the compiler to stop complaining,
however, I made the following changes:

fix_options.c
38,39c38
< int ipproto;
< socklen_t optsize = sizeof(optbuf);
---
> int optsize = sizeof(optbuf), ipproto;

socket.c
80c80
< socklen_t len;
---
> int len;
244c244
< socklen_t size = sizeof(sin);
---
> int size = sizeof(sin);

tcpd.h
280,282d279
< #ifdef getpeername
< #undef getpeername
< #endif

Notes:

In each diff, the new file is '<' and the original is '>'.

In tcpd.h, the change was made because "getpeername" is redefined
due to the "-DGETPEERNAME_BUG" compiler option being set for AIX.

--

Very Computer

ssh, inetd, wrapper

ssh, inetd, wrapper

ssh, inetd, wrapper

ssh, inetd, wrapper

ssh, inetd, wrapper

ssh, inetd, wrapper

ssh, inetd, wrapper

ssh, inetd, wrapper