You have to use TCP wrappers. Assuming you are on RHEL5, sshd comes precompiled with TCP wrappers. You can use ldd to check if your particular sshd has TCP wrapper support, e.g.
Note that access rules in /etc/hosts.allow are applied first i.e. they take precedence over rules specified in /etc/hosts.deny. Therefore, if access to a service is allowed in /etc/hosts.allow, a rule denying access to in /etc/hosts.deny is ignored because libwrap implements a "stop on first match" policy.
Hey people i need a little help here if anyone knows who to separate the mailing users and can i have more then one at the end of the command line please tell me :::This is just an example:::
/etc/hosts.deny:
tftpd: ALL: (/some/where/safe_finger -l @%h | \
... (2 Replies)
using redhat 7.2
Is it possible to not allow root to ssh into the server remotely, but allow the account that ssh'd in to the box to su to root? This way there is the added security of a hacker needing two passwords to hack your computer, a username/password for a regular account and also the... (3 Replies)
Hi!
Im trying to use host.allow & host.deny to resrtic access to my sun machine, but it doesnt seem to work... I want to allow full access from certain IPīs (ssh,http,ftp,etc...) but deny all kind of conections from outsideworld, the way that im doing that is:
hosts.allow
ALL:127.0.0.1... (2 Replies)
Hi,
I logged into h0011awe server. I am executing a script on this server which connects to other 3 hosts (h0022sam, h0033jar, h0044orc). In the script the command are like this
orapmon=`ssh $USR@$host ps -ef|grep -v grep|grep pmon`
I am using secured shell. How to setup that between these... (2 Replies)
Hello everyone,
This is my first posts and I did search for a questions but did not find a question that answered my question unless of course I overlooked it.
I'm running Solaris 8. I use ssh for the users but I have a user called "chatterbox" that uses telnet but I need for chatterbox to... (1 Reply)
Hi,
I want to change the /etc/hosts file on the hmc. I am connecting via ssh but any vi command is not allowed.
Can someone please let me know how to do this?
Many Thanks.
Kees (23 Replies)
Hello I want to block individuals who attempt to use ssh to loggon to one of my machines from a certain IP address. I added the following entry in hosts.deny. Will the entry do what I want to do?
ssh: 202.111.128.225 (3 Replies)
Hi guys!
I'm working on a little script. I have a txtfile with several hosts, Unix team has copied my keys into several of those servers, but not all of them, I need to figure out which ones I don't have access to, (I want a list of servers I don't have access to, so I can request for it). This... (1 Reply)
hi all
just installed the netsec.options.tcpwrapper from expansion pack, which used to be a rpm, for my aix 6.1 test box.
it is so unpredictable. i set up the hosts.deny as suggested for all and allow the sshd for specific ip addresses/hostnames.
the tcpdchk says the hosts allowed and... (0 Replies)
Hi there,
For /etc/hosts.deny was it used to deny access from the internet? (2 Replies)
Discussion started by: alvinoo
2 Replies
LEARN ABOUT OPENSOLARIS
ssh-keyscan
ssh-keyscan(1) User Commands ssh-keyscan(1)NAME
ssh-keyscan - gather public ssh host keys of a number of hosts
SYNOPSIS
ssh-keyscan [-v46] [-p port] [-T timeout] [-t type]
[-f file] [-] [host... | addrlist namelist] [...]
DESCRIPTION
ssh-keyscan is a utility for gathering the public ssh host keys of a number of hosts. It was designed to aid in building and verifying
ssh_known_hosts files. ssh-keyscan provides a minimal interface suitable for use by shell and perl scripts. The output of ssh-keyscan is
directed to standard output.
ssh-keyscan uses non-blocking socket I/O to contact as many hosts as possible in parallel, so it is very efficient. The keys from a domain
of 1,000 hosts can be collected in tens of seconds, even when some of those hosts are down or do not run ssh. For scanning, one does not
need login access to the machines that are being scanned, nor does the scanning process involve any encryption.
File Format
Input format:
1.2.3.4,1.2.4.4
name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
Output format for rsa1 keys:
host-or-namelist bits exponent modulus
Output format for rsa and dsa keys, where keytype is either ssh-rsa or `ssh-dsa:
host-or-namelist keytype base64-encoded-key
OPTIONS
The following options are supported:
-f filename Read hosts or addrlist namelist pairs from this file, one per line. If you specity - instead of a filename,
ssh-keyscan reads hosts or addrlist namelist pairs from the standard input.
-p port Port to connect to on the remote host.
-T timeout Set the timeout for connection attempts. If timeout seconds have elapsed since a connection was initiated to a
host or since the last time anything was read from that host, the connection is closed and the host in question
is considered unavailable. The default is for timeout is 5 seconds.
-t type Specify the type of the key to fetch from the scanned hosts. The possible values for type are rsa1 for protocol
version 1 and rsa or dsa for protocol version 2. Specify multiple values by separating them with commas. The
default is rsa1.
-v Specify verbose mode. Print debugging messages about progress.
-4 Force to use IPv4 addresses only.
-6 Forces to use IPv6 addresses only.
SECURITY
If a ssh_known_hosts file is constructed using ssh-keyscan without verifying the keys, users are vulnerable to man-in-the-middle attacks.
If the security model allows such a risk, ssh-keyscan can help in the detection of tampered keyfiles or man-in-the-middle attacks which
have begun after the ssh_known_hosts file was created.
EXAMPLES
Example 1 Printing the rsa1 Host Key
The following example prints the rsa1 host key for machine hostname:
$ ssh-keyscan hostname
Example 2 Finding All Hosts
The following commands finds all hosts from the file ssh_hosts which have new or different keys from those in the sorted file
ssh_known_hosts:
$ ssh-keyscan -t rsa,dsa -f ssh_hosts |
sort -u - ssh_known_hosts | diff ssh_known_hosts -
FILES
/etc/ssh_known_hosts
EXIT STATUS
The following exit values are returned:
0 No usage errors. ssh-keyscan might or might not have succeeded or failed to scan one, more or all of the given hosts.
1 Usage error.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Availability |SUNWsshu |
+-----------------------------+-----------------------------+
|Interface Stability |Evolving |
+-----------------------------+-----------------------------+
SEE ALSO ssh(1), sshd(1M), attributes(5)AUTHORS
David Mazieres wrote the initial version, and Wayne Davison added suppport for protocol version 2.
BUGS
ssh--keyscan generates
Connection closed by remote host
messages on the consoles of all machines it scans if the server is older than version 2.9. This is because ssh-keyscan opens a connection
to the ssh port, reads the public key, and drops the connection as soon as it gets the key.
SunOS 5.11 24 Jul 2004 ssh-keyscan(1)