Configuring SSH Secure Shell for TCP Wrappers Support

To enable usage of TCP Wrappers with SSH Secure Shell, perform the following operations:

 

If SSH Secure Shell was previously installed from binaries, you may want to uninstall it before continuing.

Compile the source code:

./configure --with-libwrap
make

Then, become root and run

make install

Note: If

configure

does not find

libwrap.a

[/code], do the following:
Locate

libwrap.a

Run

configure

again:

make distclean
./configure --with-libwrap=/path_to_libwrap.a/

Note: It is only necessary to specify the path to

libwrap.a

if the library and the include files are located in a non-standard directory, i.e. if the library has been compiled to a local directory, or has been installed to somewhere else than the default location.

Create or edit the

/etc/
hosts.allow

and

/etc/
hosts.deny

files. When a user tries to connect to the SSH Secure Shell server, the TCP wrapper daemon (

tcpd

[/code]) reads the

/etc/hosts.allow

file for a rule that matches the client's hostname or IP. If

/etc/hosts.allow

does not contain a rule allowing access,

tcpd

reads

/etc/hosts.deny

for a rule that would deny access. If neither of the files contains an accept or deny rule, access is granted by default. The syntax for the

/etc/hosts.allow

and

/etc/hosts.deny

files is as follows:

daemon : client_hostname_or_IP

The typical setup is to deny access to everyone listed in the

/etc/hosts.deny

file. (This example shows both ssh1 and ssh2.)

sshd1: ALL
sshd2: ALL
sshdfwd-X11 : ALL

or simply

ALL: ALL

And then allow access only to trusted clients in the

/etc/hosts.allow

:

sshd1 : trusted_client_IP_or_hostname
sshd2 : .ssh.com foo.bar.fi
sshdfwd-X11 : .ssh.com foo.bar.fi

Based on the

/etc/hosts.allow

file above, users coming from any host in the ssh.com domain or from the host foo.bar.fi are allowed to access.