Mail Archives: cygwin/2009/01/03/13:39:36
Michael Makuch wrote:
> 1) On one occaision I found these with chmod 0;
>
> $ ls -l hosts.allow hosts.deny
> ---------- 1 mkm None 434 Jan 3 11:49 hosts.allow
> ----------+ 1 mkm None 225 Jan 3 00:38 hosts.deny
>
> I don't know how or why but this was on a fresh cygwin install, latest
> bits DLd yesterday. I just re-confirmed a fresh install of cygwin
> leaves these 2 files chmod 0.
The default versions of these files are actually installed as:
-rw-r--r-- etc/defaults/etc/hosts.allow
-rw-r--r-- etc/defaults/etc/hosts.deny
and are copied to /etc by the postinstall script, here:
======================
#!/bin/bash
DEFAULTSDIR=/etc/defaults
for fn in /etc/hosts.allow /etc/hosts.deny
do
if [ ! -f "${fn}" ]
then
cp "${DEFAULTSDIR}${fn}" "${fn}"
fi
done
=======================
I have no explanation for the chmod 0 issue. It looks like a setup.exe
bug, to me...
> Without read perms it appears that sshd will not allow ssh to connect
> from anywhere, local nor remote. With read perms things get better.
>
> 2) In some recent release the default hosts.allow has been modified to
>
> ALL : PARANOID : deny
> sshd: ALL
>
> I am surmising that PARANOID is a relatively new feature and unsupported
> by openssh 4.5 - I deduce this since when I remove PARANOID I can then
> successfully ssh from openssh 4.5. In essence I would call this a
> "compatibility" issue between this version of Cygwin and the older ones.
Err...no. These are tcp_wrappers issues; sshd (whether 4.5, 5.1, or
whatever) doesn't care. It simply asks the tcp wrapper library "is this
incoming IP request OK?" and gets a yes/no answer. If your tcp_wrappers
package installs a hosts.allow file that includes PARANOID, then your
tcp_wrappers library supports PARANOID. End of story.
The issue is what PARANOID actually DOES. It verifies that the incoming
connection's name and IP match -- in both directions. That is, a dns
lookup on the IP address gives a name, and a second DNS lookup on that
name gives (possibly a list of) IP addresses, one of which better be the
original IP.
If there is a mismatch, then (a) there is a DNS misconfiguration, or (b)
somebody is trying to spoof/hack you. In your case, I'd guess DNS
misconfiguration.
check:
mtm AT plum $ nslookup plum
mtm AT plum $ nslookup <IP of plum>
and see what that tells you. Also,
mtm AT plum $ /usr/sbin/tcpdmatch plum
should report useful info (both to syslog, and to the display). I
recently posted an explanation of a "DNS misconfiguration" that is
more-or-less built in to Windows Vista with regards to the name
"localhost" -- which is why the default hosts.allow will soon include
all : localhost 127.0.0.1 [::1] : allow
as the first line. See http://cygwin.com/ml/cygwin/2008-12/msg00678.html
--
Chuck
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -