Configuring SSH Secure Shell for TCP Wrappers Support

To enable usage of TCP Wrappers with SSH Secure Shell, perform the following operations:

1. If SSH Secure Shell was previously installed from binaries, you may want to uninstall it before continuing.
2. Compile the source code:

   ./configure --with-libwrap 
   make
   

   Then, become root and run

   make install
   

   Note: If configure does not find libwrap.a, do the following:
   • Locate libwrap.a
   • Run configure again:

     make distclean
     ./configure --with-libwrap=/path_to_libwrap.a/
     

     Note: It is only necessary to specify the path to libwrap.a if the library and the include files are located in a non-standard directory, i.e. if the library has been compiled to a local directory, or has been installed to somewhere else than the default location.
3. Create or edit the /etc/hosts.allow and /etc/hosts.deny files. When a user tries to connect to the SSH Secure Shell server, the TCP wrapper daemon (tcpd) reads the /etc/hosts.allow file for a rule that matches the client's hostname or IP. If /etc/hosts.allow does not contain a rule allowing access, tcpd reads /etc/hosts.deny for a rule that would deny access. If neither of the files contains an accept or deny rule, access is granted by default. The syntax for the /etc/hosts.allow and /etc/hosts.deny files is as follows:

   daemon : client_hostname_or_IP 
   

   The typical setup is to deny access to everyone listed in the /etc/hosts.deny file. (This example shows both ssh1 and ssh2.)

   sshd1: ALL 
   sshd2: ALL 
   sshdfwd-X11 : ALL 
   

   or simply

   ALL: ALL 
   

   And then allow access only to trusted clients in the /etc/hosts.allow:

   sshd1 : trusted_client_IP_or_hostname
   sshd2 : .ssh.com foo.bar.fi
   sshdfwd-X11 : .ssh.com foo.bar.fi
   

   Based on the /etc/hosts.allow file above, users coming from any host in the ssh.com domain or from the host foo.bar.fi are allowed to access.