[HPADM] Re: HP-UX SSH

• Previous message: Stephanie Chung: "[HPADM] HP-UX SSH"
• In reply to: Stephanie Chung: "[HPADM] HP-UX SSH"
• Next in thread: Neil Paniraj: "[HPADM] ftp script/batch job"
• Reply: Neil Paniraj: "[HPADM] ftp script/batch job"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: hpux <hpux-admin@dutchworks.nl>
Date: Wed, 13 Apr 2005 18:51:53 -0400

On Wednesday 13 April 2005 6:31 pm, Stephanie Chung wrote:

> I installed hp-ux ssh to replace telnet and it's
> running fine. My question is how to allow only IP
> range 198.152.*.* to access the SSH and restrict other
> IPs. Since HP-UX ssh is running its own daemon
> (/opt/ssh/sbin/sshd) and not using ‘inetd’, put the
> restriction in ‘inetd.sec’ won’t help. Thanks you for
> your help.

Hi,

You need to run the ssh daemon thru inetd. Do the following:

1- Stop the ssh daemon

2- Make sure it won't start on machine startup by
editing /etc/rc.config.d/sshd

   Change SSHD_START=1 to 0

3- Modify /etc/inetd.conf to enable ssh. You must use the "-i" switch in order
to allow it to run thru inetd. I have the following line on my inetd.conf

ssh stream tcp nowait root /usr/sbin/sshd sshd -i

4- Modify /var/adm/inetd.sec accordingly. Something like:
ssh allow 172.16.0.10

etc...

Now you can get the ip filtering benefits provided by inetd.

Of course, this is one scenario. You can still use IPFILTER if you want (and
keep running SSHD stand-alone).

HTH,
Jorge

--
             ---> Please post QUESTIONS and SUMMARIES only!! <---
        To subscribe/unsubscribe to this list, contact majordomo@dutchworks.nl
       Name: hpux-admin@dutchworks.nl     Owner: owner-hpux-admin@dutchworks.nl
 
 Archives:  ftp.dutchworks.nl:/pub/digests/hpux-admin       (FTP, browse only)
            http://www.dutchworks.nl/htbin/hpsysadmin   (Web, browse & search)

• Previous message: Stephanie Chung: "[HPADM] HP-UX SSH"
• In reply to: Stephanie Chung: "[HPADM] HP-UX SSH"
• Next in thread: Neil Paniraj: "[HPADM] ftp script/batch job"
• Reply: Neil Paniraj: "[HPADM] ftp script/batch job"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: Restarting init without rebooting ... The default in the new installs is not to run inetd on startup. ... A word of advice that I found on a Linux system that uses ... did NOT run it from xinetd. ... I was able to ssh into the system and found xinetd wasn't running. ... (comp.unix.bsd.freebsd.misc) Re: Re: inetd.conf missing? ... but as I understand inetd its the service ... that controls any network service (ie ssh). ... (Ubuntu) Re: ssh dropping ... It runs separate from inetd. ... all ssh sessions are dropped. ... Even when inetd dies (I've seen it die, ... The fact that your connections remain when inetd dies (I assume you are ... (comp.security.ssh) Re: ssh dropping ... It runs separate from inetd. ... all ssh sessions are dropped. ... Even when inetd dies (I've seen it die, ... The fact that your connections remain when inetd dies (I assume you are ... (comp.security.ssh) Re: SSH login takes very long time...sometimes ... would effectively bounce the bad guys, but AFAIK (correct me if I'm ... ssh is no longer supposed to work via inetd and still has no ... We're succesfully running openssh-portable from inetd with: ... vs@lambda$ grep ssh /var/log/messages ... (freebsd-stable)