To enable usage of TCP Wrappers with SSH Secure Shell, perform the following operations:
- If SSH Secure Shell was previously installed from binaries, you may want to uninstall it before continuing.
- Compile the source code:
./configure --with-libwrap make
Then, become root and runmake install
Note: Ifconfigure
does not find
, do the following:libwrap.a
- Locate
libwrap.a
- Run
configure
again:make distclean ./configure --with-libwrap=/path_to_libwrap.a/
Note: It is only necessary to specify the path tolibwrap.a
if the library and the include files are located in a non-standard directory, i.e. if the library has been compiled to a local directory, or has been installed to somewhere else than the default location.
- Locate
- Create or edit the
/etc/
andhosts.allow
/etc/
files. When a user tries to connect to the SSH Secure Shell server, the TCP wrapper daemon (hosts.deny
) reads thetcpd
/etc/hosts.allow
file for a rule that matches the client's hostname or IP. If/etc/hosts.allow
does not contain a rule allowing access,tcpd
reads/etc/hosts.deny
for a rule that would deny access. If neither of the files contains an accept or deny rule, access is granted by default. The syntax for the/etc/hosts.allow
and/etc/hosts.deny
files is as follows:daemon : client_hostname_or_IP
The typical setup is to deny access to everyone listed in the/etc/hosts.deny
file. (This example shows both ssh1 and ssh2.)sshd1: ALL sshd2: ALL sshdfwd-X11 : ALL
or simplyALL: ALL
And then allow access only to trusted clients in the/etc/hosts.allow
:sshd1 : trusted_client_IP_or_hostname sshd2 : .ssh.com foo.bar.fi sshdfwd-X11 : .ssh.com foo.bar.fi
Based on the/etc/hosts.allow
file above, users coming from any host in the ssh.com domain or from the host foo.bar.fi are allowed to access.