Openssh compatibility problem?

Charles Wilson cygwin@cwilson.fastmail.fm
Sat Jan 3 19:17:00 GMT 2009 

Michael Makuch wrote:

> 1) On one occaision I found these with chmod 0;
> 
> $ ls -l hosts.allow hosts.deny
> ----------  1 mkm None 434 Jan  3 11:49 hosts.allow
> ----------+ 1 mkm None 225 Jan  3 00:38 hosts.deny
> 
> I don't know how or why but this was on a fresh cygwin install, latest
> bits DLd yesterday. I just re-confirmed a fresh install of cygwin
> leaves these 2 files chmod 0.

The default versions of these files are actually installed as:

-rw-r--r-- etc/defaults/etc/hosts.allow
-rw-r--r-- etc/defaults/etc/hosts.deny

and are copied to /etc by the postinstall script, here:

======================
#!/bin/bash

DEFAULTSDIR=/etc/defaults

for fn in /etc/hosts.allow /etc/hosts.deny
do
  if [ ! -f "${fn}" ]
  then
    cp "${DEFAULTSDIR}${fn}" "${fn}"
  fi
done
=======================

I have no explanation for the chmod 0 issue. It looks like a setup.exe
bug, to me...

> Without read perms it appears that sshd will not allow ssh to connect
> from anywhere, local nor remote. With read perms things get better.
> 
> 2) In some recent release the default hosts.allow has been modified to
> 
> ALL : PARANOID : deny
> sshd: ALL
> 
> I am surmising that PARANOID is a relatively new feature and unsupported
> by openssh 4.5 - I deduce this since when I remove PARANOID I can then
> successfully ssh from openssh 4.5. In essence I would call this a
> "compatibility" issue between this version of Cygwin and the older ones.

Err...no.  These are tcp_wrappers issues; sshd (whether 4.5, 5.1, or
whatever) doesn't care. It simply asks the tcp wrapper library "is this
incoming IP request OK?" and gets a yes/no answer. If your tcp_wrappers
package installs a hosts.allow file that includes PARANOID, then your
tcp_wrappers library supports PARANOID. End of story.

The issue is what PARANOID actually DOES.  It verifies that the incoming
connection's name and IP match -- in both directions.  That is, a dns
lookup on the IP address gives a name, and a second DNS lookup on that
name gives (possibly a list of) IP addresses, one of which better be the
original IP.

If there is a mismatch, then (a) there is a DNS misconfiguration, or (b)
somebody is trying to spoof/hack you.  In your case, I'd guess DNS
misconfiguration.

check:
mtm@plum $ nslookup plum
mtm@plum $ nslookup <IP of plum>
and see what that tells you.  Also,

mtm@plum $ /usr/sbin/tcpdmatch plum

should report useful info (both to syslog, and to the display). I
recently posted an explanation of a "DNS misconfiguration" that is
more-or-less built in to Windows Vista with regards to the name
"localhost" -- which is why the default hosts.allow will soon include

all : localhost 127.0.0.1 [::1] : allow

as the first line. See http://cygwin.com/ml/cygwin/2008-12/msg00678.html

--
Chuck


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

More information about the Cygwin mailing list