Solaris – Access Control on SSH Connections
The sshd daemon that comes with the Solaris[TM] 9 & 10 Operating System uses TCP (Transmission Control Protocol) Wrappers (also called “libwrap”) to control access to hosts.
(Unlike other systems, Solaris 9 & 10 does not use the OpenSSH keywords “AllowHosts” and “DenyHosts” to permit or prevent SSH [Secure Shell] connections).
TCP wrapper support is compiled into the sshd binary and sshd, which runs as a standalone daemon. (Unlike other services, the Solaris 9 & 10 Operating System Secure Shell daemon is not under the control of inetd and tcpd.)
If sshd is running, and if the wrapper access control files are present and correctly configured, you have all that you need to control host access.
Configuration Steps:
In this article controlling host access is a two-part process. First you test the Solaris 9 & 10 Operating System Secure Shell functionality, and thenyou activate the access control files. Follow these steps:
1. On the server running the sshd daemon, enter:
sshd-server# mv /etc/hosts.allow /var/tmp/
sshd-server# mv /etc/hosts.deny /var/tmp/
By default these files doen’t exist and if they exist so there is a configuration that must be maintained so you need to execute step 6.
2. On a SSH client, enter:
ssh-client$ ssh -l
If you have no problems with the two preceding steps, proceed. Otherwise, you should troubleshoot your SSH functionality before you continue.
3. You will now grant access to the host with name “hostA,” and deny access to all other hosts. On the server running the sshd daemon, enter:
sshd-server# echo “sshd : hostA” > /etc/hosts.allow
sshd-server# echo “sshd : ALL” > /etc/hosts.deny
4. Next, you will test the allow access. On hostA, enter:
hostA$ ssh -l
This should succeed.
5. Now test the deny access. On another host, enter:
other_host$ ssh -l
This should fail.
6. Restore the original configuration by entering the following commands on the server running the sshd daemon:
sshd-server# mv /var/tmp/hosts.allow /etc/hosts.allow
sshd-server# mv /var/tmp/hosts.deny /etc/hosts.deny
If your tests were successful, both sshd and the wrappers are working correctly.
For help configuring the access control files (/etc/hosts.allow and /etc/host.deny) refer to the man pages. For bourne, korn or bash shells, Enter:
MANPATH=/usr/sfw/share/man:$MANPATH;export MANPATH
man -s4 hosts_access
For csh or tcsh, Enter:
setenv MANPATH /usr/sfw/share/man:$MANPATH
man -s4 hosts_access
6 Comments on “Solaris – Access Control on SSH Connections”
hi all i will try bring ssh service online but its not coming online its will below error
svcs -l network/sshfmri svc:/network/ssh:defaultname SSH serverenabled truestate offlinenext_state nonestate_time Tue Jan 03 21:13:59 2012restarter svc:/system/svc/restarter:defaultdependency require_all/none svc:/system/filesystem/local (online)dependency optional_all/none svc:/system/filesystem/autofs (online)dependency require_all/none svc:/network/loopback (online)dependency require_all/none svc:/network/physical (maintenance)dependency require_all/none svc:/system/cryptosvc (online)dependency require_all/none svc:/system/utmp (online)dependency require_all/restart file://localhost/etc/ssh/sshd_config (online)
ssh dependence service ie physical showing in maintenance so what should i need to do to bring this service to onlice
thanks in advence
@raj – type the command “svcs -xv” and check the reasons for the service failure. Check the log file for the specific service. Below two posts can help you troubleshoot SMF services. And if you see specific error log then please let me know, so that i can help to figure out what went wrong.
http://gurkulindia.com/main/2011/03/solaris10-smf-troubleshooting-guide/
http://gurkulindia.com/main/2011/03/solaris-10-troubleshoot-the-problems-while-initializing-network-services/
@Raj, is it a non-global zone?
# svcs -l svc:/network/physical and verify logs. It looks like something to do with network /IP settings. Makesure interface is up.
Hi sir,
we add to one IP addresss in /etc/hosts
192.168.54.34 TEST3 TEST3..com localhost.
whats is diff bet loghosts & localhost
In which situation we will loghosts & localhost?????
>>>>>>>>>> localhost refers to the current hosts, and mostly the ip 127.0.0.1 ( loopback address).
When we install Unix ( or linux ) , most the services will automatically start with their default configuration. And wherever these default configurations has to use the current host name , it will be refer localhost as current hostname, so that we don’t need to modify every default configuration with the our actual hostname.
>>>>> loghost alias is used by syslog to determine the destination for log messages.