Hello everybody,

I find in a number of resources that a line in /etc/hosts.allow
may look this way:

sshd : mikhail@a.friendly.slack.box : ALLOW

Still, I cannot make this work: sshd breaks an attempt to ssh
as mikhail from a.friendly.slack.box. Only a line like

sshd : a.friendly.slack.box : ALLOW

works (but this allows _all_ users from the above `friendly' host
to login via ssh). In sshd_config I have "AllowUsers mikhail".
What can be wrong?

Regards,
Mikhail

On Fri, 22 Oct 2004 05:51:18 -0700, Mikhail Zotov wrote:

> I find in a number of resources that a line in /etc/hosts.allow
> may look this way:
>
> sshd : mikhail@a.friendly.slack.box : ALLOW
>
> Still, I cannot make this work: sshd breaks an attempt to ssh
> as mikhail from a.friendly.slack.box. Only a line like
>
> sshd : a.friendly.slack.box : ALLOW
>
> works (but this allows _all_ users from the above `friendly' host
> to login via ssh). In sshd_config I have "AllowUsers mikhail".
> What can be wrong?

For that to work "a.friendly.slack.box" needs to answer ident requests,
IAW run an "identd".

man 5 hosts_access <<-- look for: USERNAME

--
-Menno.

Menno Duursma <pan@desktop.lan> wrote in message news:<pan.2004.10.22.16.48.27.802377@desktop.lan>. ..
> On Fri, 22 Oct 2004 05:51:18 -0700, Mikhail Zotov wrote:
>
> > I find in a number of resources that a line in /etc/hosts.allow
> > may look this way:
> >
> > sshd : mikhail@a.friendly.slack.box : ALLOW
> >
> > Still, I cannot make this work: sshd breaks an attempt to ssh
> > as mikhail from a.friendly.slack.box. Only a line like
> >
> > sshd : a.friendly.slack.box : ALLOW
> >
> > works (but this allows _all_ users from the above `friendly' host
> > to login via ssh). In sshd_config I have "AllowUsers mikhail".
> > What can be wrong?
>
> For that to work "a.friendly.slack.box" needs to answer ident requests,
> IAW run an "identd".
>
> man 5 hosts_access <<-- look for: USERNAME

Oh, thanks for the answer! I should have figured this out by myself
via an analysis of log files :-/

Still, a strange thing is that in spite of the fact that identd.conf
at "a.friendly.slack.box" has a line

result:uid-only = no

connections are only established if hosts.allow looks like

sshd : 1001@a.friendly.slack.box : ALLOW

but not

sshd : mikhail@ ....

Trying to figure out why...

Anyway, thanks a lot!!

Regards,
Mikhail

On Mon, 25 Oct 2004 03:49:29 -0700, Mikhail Zotov wrote:
> Menno Duursma wrote:
>> Mikhail Zotov wrote:

>> > works (but this allows _all_ users from the above `friendly' host
>> > to login via ssh). In sshd_config I have "AllowUsers mikhail".
>> > What can be wrong?
>>
>> For that to work "a.friendly.slack.box" needs to answer ident requests,
>> IAW run an "identd".
>>
>> man 5 hosts_access <<-- look for: USERNAME
>
> Oh, thanks for the answer!

Sure thing.

> I should have figured this out by myself via an analysis of log files
> :-/

Well, i miss obvious stuff now and again too. Usually, switching to doing
something else, and then look at it "a fresh" points it out quickly.

> Still, a strange thing is that in spite of the fact that identd.conf at
> "a.friendly.slack.box" has a line
>
> result:uid-only = no
>
> connections are only established if hosts.allow looks like
>
> sshd : 1001@a.friendly.slack.box : ALLOW
>
> but not
>
> sshd : mikhail@ ....
>
> Trying to figure out why...

Commant out the following in /etc/identd.conf :

#-- Disable username lookups (only return uid numbers)
result:uid-only = yes

I would edit that file some more, to like run it under "identd" instead:

#-- User and group (from passwd database) to run as
server:user = identd

#-- Override the group id
server:group = identd

Ofcource, you then want to make sure user/group "identd" exist on your
system (before restarting it)... Otherwise create the account, like:

groupadd identd
grpconv
useradd -d /var/empty -g identd -s /bin/false identd
passwd -l identd
pwconv
killall -HUP inetd

Have fun.

--
-Menno.

On Mon, 25 Oct 2004 13:05:21 +0000, Menno Duursma wrote:
> On Mon, 25 Oct 2004 03:49:29 -0700, Mikhail Zotov wrote:
>> Menno Duursma wrote:
>>> Mikhail Zotov wrote:

[ Well replying to my own post :-(, as i seem to have missed some things... ]

>>> > works (but this allows _all_ users from the above `friendly' host
>>> > to login via ssh). In sshd_config I have "AllowUsers mikhail".

Maybe try changeing that to (this seems to work for me):

AllowUsers mikhail@a.friendly.slack.box

>>> > What can be wrong?
>>>
>>> For that to work "a.friendly.slack.box" needs to answer ident requests,
>>> IAW run an "identd".
>>>
>>> man 5 hosts_access <<-- look for: USERNAME
>>
>> Oh, thanks for the answer!
>
> Sure thing.

Well, reading "man sshd_config" that might not be needed (as the
"AllowUsers" directive can be used) - which even you pointed out...

It should be more secure to use both though, as the ident/auth query
checks if the user connecting to you is actually logged-it at the remote
host under allowed username. Rather then using "ssh -lmikhail your.server"
or some such. Ofcource this is all assuming the user doesn't have control
over "ident" reply messages in any way (ie: doesn't have "root" there.)

Also, and i have not tested this any other way, but i don't know if
Slackware ships with the suid bit on the "ssh" binary. If it does though,
that might account for something. I just "chmod -s" the whole lot as one
of the first things after installation, and suid what needs be. (So "ssh"
isn't a suid binary here, as i see no need to set that.)

>> I should have figured this out by myself via an analysis of log files
>> :-/
>
> Well, i miss obvious stuff now and again too. Usually, switching to doing
> something else, and then look at it "a fresh" points it out quickly.

Hey, i guess i'm proving that point with this post :-).

>> Still, a strange thing is that in spite of the fact that identd.conf at
>> "a.friendly.slack.box" has a line
>>
>> result:uid-only = no
>>
>> connections are only established if hosts.allow looks like
>>
>> sshd : 1001@a.friendly.slack.box : ALLOW
>>
>> but not
>>
>> sshd : mikhail@ ....
>>
>> Trying to figure out why...

That is odd. I'd figure that should work, however i just:

> Commant out the following in /etc/identd.conf :

Like this it works fine here, so maybe try:

bash-2.05b$ grep uid /etc/identd.conf
##-- Disable username lookups (only return uid numbers)
#result:uid-only = yes

(Don't forget to "killall -HUP inetd" and "pkill in.identd" afterwards.)

HTH.

--
-Menno.

On Mon, 25 Oct 2004 15:07:52 +0000, Menno Duursma wrote:
>>>> Mikhail Zotov wrote:

>>>> > to login via ssh). In sshd_config I have "AllowUsers mikhail".

> "AllowUsers" directive can be used) - which even you pointed out...

s/'even you'/'you even'/

Sorry about that.
( Indeed, i need to read my damn posts before hitting "Send Now". )

--
-Menno.

Menno Duursma <pan@desktop.lan> wrote in message news:<pan.2004.10.25.18.41.14.291634@desktop.lan>. ..
> On Mon, 25 Oct 2004 15:07:52 +0000, Menno Duursma wrote:
> >>>> Mikhail Zotov wrote:
>
> >>>> > to login via ssh). In sshd_config I have "AllowUsers mikhail".
>
> > "AllowUsers" directive can be used) - which even you pointed out...
>
> s/'even you'/'you even'/
>
> Sorry about that.

LOL

Please, don't mind!
My English is so poor that I didn't even notice that :-)

As for the other things, thank you very much for the answers!
I do really appreciate you spending so much time on my problem.
Meanwhile, I am trying to apply all these things you suggested.
Will let you know about the results :-)

Regards,
Mikhail

P.S. I have never heard about _p_kill before :-/
Actually, AOLS is one of the most interesting readings I have )