Date: Tue, 31 May 2005 09:00:46 -0700 From: David Wolfskill <david@catwhisker.org> To: freebsd-stable@freebsd.org Subject: Re: IP Firewalling by DNS name Message-ID: <20050531160046.GP800@bunrab.catwhisker.org> In-Reply-To: <44k6lfjsr2.fsf@be-well.ilk.org> References: <200505311529.j4VFTu9Q024198@lurza.secnetix.de> <44k6lfjsr2.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 31, 2005 at 11:54:25AM -0400, Lowell Gilbert wrote:
> Oliver Fromme <olli@lurza.secnetix.de> writes:
>
> > Ivan Voras <ivoras@fer.hr> wrote:
>
> > > As I understand it, sshd actually accepts connections
> > > prior to checking hosts.allow?
> >
> > Yes, the connection is accepted first, because there is
> > no information available about it before it is accepted.
> > But if the check fails, the connection will be closed
> > immediately.
>
> Well, that's not necessarily the best way to explain it. When you're
> working with TCP wrappers, you're running out of inetd(8), so there
> isn't really any sshd at all until the wrappers have decided to allow
> the connection.
Are you *sure* about that? Ref:
g1-18(4.11-S)[2] ldd `which sshd`
/usr/sbin/sshd:
libopie.so.2 => /usr/lib/libopie.so.2 (0x28089000)
libmd.so.2 => /usr/lib/libmd.so.2 (0x28092000)
libssh.so.2 => /usr/lib/libssh.so.2 (0x2809b000)
libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x280ca000)
libcrypto.so.3 => /usr/lib/libcrypto.so.3 (0x280e3000)
libutil.so.3 => /usr/lib/libutil.so.3 (0x281da000)
libz.so.2 => /usr/lib/libz.so.2 (0x281e3000)
libwrap.so.3 => /usr/lib/libwrap.so.3 (0x281f0000)
libpam.so.1 => /usr/lib/libpam.so.1 (0x281f8000)
libc.so.4 => /usr/lib/libc.so.4 (0x28202000)
g1-18(4.11-S)[3]
Note "libwrap.so.3" in there....
Peace,
david
--
David H. Wolfskill david@catwhisker.org
Any given sequence of letters is a misspelling of a great many English words.
See http://www.catwhisker.org/~david/publickey.gpg for public key.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050531160046.GP800>