Why package management matters:
Just recently (today, if you happen to be reading it now) I ran into a small little problem. I needed to enable tcp-wrapper support in SSH on about 40 boxes. Last week. Not a problem, I've got scripts that do half the work for me. I just had to test the configuration and I'm set. Or so I thought.
I spent a couple of hours (in between getting my butt kissed and performing my regularly scheduled duties) testing out simple configurations for tcp-wrappers. The syntax is simple enough even my manager could set it up. hosts.deny was filled with a simple "ALL: ALL" and hosts.allow allowed SSH from one single system. I attempted to SSH in from a non-allowed system, pre-basking in my elite glory, and it connected just fine.
I was shocked. Had I done something incorrectly? It was possible, rare, but possible. I rechecked all configurations, added a few lines, and modified files. Shift 4, r, esc, shift 6, x, :w were all flying across my screen. If one of the other techs was watching over my shoulder he would have had a siezure.
I tried to SSH again, a bit less over confident this time. I connected. A wave of doubt crossed my face as I brought up man page after man page. Was this an error with Linux? Could I rant and rave about how much I dislike the system? Could I praise OpenBSD for not having these issues while Linux users slobber over their keyboards trying to defend their favorite system?
I checked RPM: rpm -qa| grep ssh
I checked the dependencies of the output: rpm --requires openssh-version
libwrap.so.0 was there. This should be working. I double checked the configuration files, they were fine. I checked log files, nothing was there.
I sought help from the Anandtech community, and cleverhandle came to my rescue. ldd /usr/sbin/sshd revealed that libwrap.so.0 was not a requirement for the sshd we were running. Confusion replaced all confidence. Why was RPM lying to me? Linux sucks! Yeah, that's it!
ssh -V Wait, why is this version number different than the one reported by RPM? Of course! Someone replaced the sshd from the RPM with a custom compiled one. Of course, options like tcp-wrappers weren't enabled.
It wasn't Linux, Red Hat, the RPM system, or my perfect configuration skills. No, it was someone that apparently didn't believe in package management.
Not only did I was several hours of off and on work, but now we get to look into a major upgrade process.
If package management is available, use it!
OLD:
hosts.allow and hosts.deny don't seem to affect SSH. I'm wondering if support for tcpwrapper has been included in the SSH port. Anyone know?
EDIT: I figured the above out, now trying to get tcp-wrappers working. I don't remember this being difficult on other platforms...
Just recently (today, if you happen to be reading it now) I ran into a small little problem. I needed to enable tcp-wrapper support in SSH on about 40 boxes. Last week. Not a problem, I've got scripts that do half the work for me. I just had to test the configuration and I'm set. Or so I thought.
I spent a couple of hours (in between getting my butt kissed and performing my regularly scheduled duties) testing out simple configurations for tcp-wrappers. The syntax is simple enough even my manager could set it up. hosts.deny was filled with a simple "ALL: ALL" and hosts.allow allowed SSH from one single system. I attempted to SSH in from a non-allowed system, pre-basking in my elite glory, and it connected just fine.
I was shocked. Had I done something incorrectly? It was possible, rare, but possible. I rechecked all configurations, added a few lines, and modified files. Shift 4, r, esc, shift 6, x, :w were all flying across my screen. If one of the other techs was watching over my shoulder he would have had a siezure.
I tried to SSH again, a bit less over confident this time. I connected. A wave of doubt crossed my face as I brought up man page after man page. Was this an error with Linux? Could I rant and rave about how much I dislike the system? Could I praise OpenBSD for not having these issues while Linux users slobber over their keyboards trying to defend their favorite system?
I checked RPM: rpm -qa| grep ssh
I checked the dependencies of the output: rpm --requires openssh-version
libwrap.so.0 was there. This should be working. I double checked the configuration files, they were fine. I checked log files, nothing was there.
I sought help from the Anandtech community, and cleverhandle came to my rescue. ldd /usr/sbin/sshd revealed that libwrap.so.0 was not a requirement for the sshd we were running. Confusion replaced all confidence. Why was RPM lying to me? Linux sucks! Yeah, that's it!
ssh -V Wait, why is this version number different than the one reported by RPM? Of course! Someone replaced the sshd from the RPM with a custom compiled one. Of course, options like tcp-wrappers weren't enabled.
It wasn't Linux, Red Hat, the RPM system, or my perfect configuration skills. No, it was someone that apparently didn't believe in package management.
Not only did I was several hours of off and on work, but now we get to look into a major upgrade process.
If package management is available, use it!
OLD:
hosts.allow and hosts.deny don't seem to affect SSH. I'm wondering if support for tcpwrapper has been included in the SSH port. Anyone know?
EDIT: I figured the above out, now trying to get tcp-wrappers working. I don't remember this being difficult on other platforms...
Facebook
Twitter