Configure sshd2 to use top-wrappers inetd super server | All about OS

Configure sshd2 to use top-wrappers inetd super server

Категория: Securing and Optimizing

Tcp-wrappers shoud be enabled to start and stop the sshd2 server. Upon execution, inetd reads its configuration information from a configuration file which, by default, is 7etc/inetd.conf. There must be an entry for each field of the configuration file, with entries for each field separated by a tab or a space.
Stepi
Edit the inetd.conf file (vi /etc/inetd.conf) and add the line:
ssh stream     top   nowait     root /usr/sbin/tcpd sshd -i
NOTE: The “-i” parameter is important since is specifies that sshd is being run from inetd. Also, update your “inetd.conf file by sending a SIGHUP signal (killall -HUP inetd) after adding the above line into the file.
•    To update your “inetd.conf file, use the following command: [root@deep /]# killall -HUP inetd
Step 2
Edit the hosts.allow file (vi /etc/hosts.allow) and add the line:
sshd: 192.168.1.4 win.openna.com
Which means client “192.168.1.4″ with host name “win.openna.com” is allowed to ssh on the server.
These “daemon” strings (for tcp-wrappers) are in use by sshd2:
SShd, SShd2    (The name sshd2 was called with (usually “sshd”)).
SShdfwd-X11    (if you want to allow/deny X11 -forwarding).
SShdfwd-<port-number> (for tcp-forwarding). SShdfwd-<port-name>     (port-name defined in /etc/services. Used in tcp-forwarding).
NOTE: If you do decide to switch to using ssh, make sure you install and use it on all your servers. Having ten secure servers and one insecure is a waste of time.
Configuration of the “/etc/pam.d/ssh” file
For better security of your ssh2 server, you can configure it to use pam authentication. Do to that, you must create the 7etc/pam.d/ssh” file.
Create the ssh file (touch /etc/pam.d/ssh) and add or change, if necessary:
#%PAM-1.0
auth    required    /lib/security/pam_pwdb.so shadow
auth    required    /lib/security/pam_nologin.so
account    required    /lib/security/pam_pwdb.so
password    required    /lib/security/pam_cracklib.so
password    required    /lib/security/pampwdb.so use_authtok nullok md5 shadow
session    required    /lib/security/pam_pwdb.so
Further documentation
For more details, there are several man pages you can read:
$ man ssh-add2 (1)    - adds identities for the authentication agent
$ man ssh-agent2 (1)    - authentication agent
$ man ssh-keygen2 (1)    - authentication key pair generation
$ man ssh2 (1)    - secure shell client (remote login program)
$ man sshd2 (8)    - secure shell daemon

« Linux SSH2 Client/Server
Ssh2 Per-User Configuration »