From owner-freebsd-questions Tue Jan 18 18: 6:55 2000 Delivered-To: freebsd-questions@freebsd.org Received: from ducky.nz.freebsd.org (chilled.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id CB40514A09 for ; Tue, 18 Jan 2000 18:06:49 -0800 (PST) (envelope-from dan@freebsddiary.org) Received: from wocker (wocker.int.nz.freebsd.org [192.168.0.99]) by ducky.nz.freebsd.org (8.9.3/8.9.3) with ESMTP id NAA50150; Wed, 19 Jan 2000 13:41:38 +1300 (NZDT) Message-Id: <200001190041.NAA50150@ducky.nz.freebsd.org> From: "Dan Langille" Organization: The FreeBSD Diary To: Roelof Osinga , "Crist J. Clark" , questions@freebsd.org Date: Wed, 19 Jan 2000 13:41:37 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: Quoted-printable Subject: Re: OpenSSH 1.2.1 refusing incoming connections Reply-To: dan@freebsddiary.org Cc: questions@freebsd.org In-reply-to: <3884E37F.54D7224B@nisser.com> X-mailer: Pegasus Mail for Win32 (v3.12b) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 18 Jan 00, at 23:04, Roelof Osinga wrote: > Two 3.4-STABLE's have no problem. Am in the process of configuring a > third. Both are barebone SSH installs, i.e. password driven. Problem solved. User error. The box which was failing to allow incoming ssh connection had a tcp_wrappers-7.6. This was installed when the box was on version 2.2.7 I think, and was never removed when the box was upgraded. FreeBSD after 3.2-RELEASE contains a tcp_wrapper library in the base system. My box had both libwrap.so.2 (base system) and libwrap.so.7 (tcp wrapper). Looking at ldd: # ldd sshd (on good box) sshd: libcrypto.so.1 =3D> /usr/local/lib/libcrypto.so.1 (0x28078000) libcrypt.so.2 =3D> /usr/lib/libcrypt.so.2 (0x28108000) libutil.so.2 =3D> /usr/lib/libutil.so.2 (0x2811d000) libz.so.2 =3D> /usr/lib/libz.so.2 (0x28126000) libwrap.so.2 =3D> /usr/lib/libwrap.so.2 (0x28133000) libc.so.3 =3D> /usr/lib/libc.so.3 (0x2813a000) # ldd sshd (on bad box) sshd: libcrypto.so.1 =3D> /usr/local/lib/libcrypto.so.1 (0x2807b000) libcrypt.so.2 =3D> /usr/lib/libcrypt.so.2 (0x2810b000) libutil.so.2 =3D> /usr/lib/libutil.so.2 (0x2810e000) libz.so.2 =3D> /usr/lib/libz.so.2 (0x28117000) libwrap.so.7 =3D> /usr/local/lib/libwrap.so.7 (0x28124000) libc.so.3 =3D> /usr/lib/libc.so.3 (0x2812b000) So here is a brief outline of what was happening during my ssh connection attempt: sshd asks tcp_wrappers: "how about this connection?" tcp_wrappers looks at /usr/local/etc/hosts.allow the file doesn't exist tcp_wrappers finds no rules allowing this connection tcp_wrappers replies to sshd "no way!=A0 this connection can't happen!" sshd says, "sorry, you can't connect". I had /etc/hosts.allow, as per libwrap.so.2. The solution: pkg_delete OpenSSH-1.2.1 cd /usr/ports/security/openssh make clean make make install and try again. On a side note: when installing the latest port of OpenSSH, I got this: # make install =3D=3D=3D> Installing for OpenSSH-1.2.1 Error: category ipv6 not in list of valid categories. removing ipv6 from the Categories in the Makefile fixed this. Eventually the above will be documented in better detail at: http://www.freebsddiary.org/ssh_refused.html My thanks to those that help, both here and offlist. Much appreciated. -- Dan Langille - DVL Software Limited [I'm looking for more work] The FreeBSD Diary - http://www.freebsddiary.org/freebsd/ NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/ The Racing System - http://www.racingsystem.com/racingsystem.htm unix @ home - http://www.unixathome.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message