[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 189
  • Last Modified:

Need a version of telnet and/or ssh that supports tcp wrappers on AIX 5.1

I have an older system that is running AIX 5.1. It has installed telnet and ssh, but neither has wrapper support. I want to use tcp wrappers to control access to both, but have been unable to find a version of either telnet or ssh that has support for it. I have tcp wrappers installed and I believe it will work if I can get either in a version with wrapper support.

Does anyone know how to obtain a version or either telnet or ssh that will support wrappers. My search of IBM and other sites has not come up with anything.

thanks...
0
carlmd
Asked:
carlmd
  • 8
  • 8
1 Solution
 
arnoldCommented:
Not specifically for six, usually telnet in /etc/inetd.conf you put the TCP wrapper tcpd binary with the in.telnetd ......... Tcpd will do the tcpwrspper functionality.

For sshd, it needed to be recompiled if tcp_wrappers option was not already included.

try strings sshd | grep wrapper
Adding sshd: ip or ip range in hosts.allow
Then adding sshd:all  in /etc/hosts.deny
And see if that works.
0
 
carlmdAuthor Commented:
I did the strings command on both telnet and ssh and neither have wrapper support. From what I read, evidently either must be built with wrapper support.

I did modify inted.conf and replaced tcp6 with tcp, and telnetd with tcpd. I also have a hosts.deny file that passes the check program, and have refreshed inetd. But, unfortunately it does not work.

So that is why I am on a hunt for a version of telnet or ssh that supports wrappers.
0
 
arnoldCommented:
Not sufficiently familiar with aIX to know what should be.
In other systems I've used from Solaris, Linux in various flavors, sshd had to be recomiled (OpenSSH used as the alternative)
However, for telnet, and other Inetd based connections, one had to get the tcp_wrappers library compile, install it and use the tcpd that is part of the tcp_wrapper, as the command preceding the service/component in /etc/inetd.conf

Telnet /usr/local/bin/tcpd /usr/sbin/in.telnetd as an example
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
carlmdAuthor Commented:
Yes, you have to get and compile the tcp wrappers for AIX as well. I did that, but then found out that telnet must also have been compiled to support wrappers. Evidently the stock version for AIX5.1 does not have this support.
0
 
arnoldCommented:
Does your telnet launch from inetd.conf place tcpd from tcpwrapper before the telnet app.
This will convert the telnet to support tcp_wrapper.
Make sure to test by using the individually IP deny look at the messages/syslog for tcpwrspper events..
0
 
carlmdAuthor Commented:
Yes, and I have already done that. It will lauch telnet, but it is the version that does not support wrappers, so no allow/deny filtering takes place.
0
 
arnoldCommented:
I do not understand what you mean.
telnet by itself will not support wrappers,
when configuring the telnet within inetd you use the tcpd as the one that will be launch which will verify whether the connecting connection is authorized/validates at which point it will launch telnet. If it does not validate, tcpd will error out/close connection.......

i am unfamiliar with aix so lets say the following is the correct formating for an inetd.conf entry for telnet
telnet     stream  tcp6    nowait  root    /usr/sbin/tcpd /usr/sbin/in.telnetd      telnetd
the command is not in.telnet but actually '/usr/sbin/tcpd /usr/sbin/in.telnetd' tcpd makes the determination on whether the telnet session proceeds

Hope this clarifies things, sorry, but the formatting might be incorrect for AIX, look at inetd.conf and post the line for telnet, and I will provide the alternative and see if that works,
one option could be to use a different port for testing to avoid locking you access out..
0
 
carlmdAuthor Commented:
Take a look at the first section of the following for an explanation about wrapper support.

https://www.ibm.com/developerworks/aix/library/au-tcpwrapper/
0
 
arnoldCommented:
Yes, I am aware of tcp wrappers, the document includes an example on how you would change the inetd.conf file to secure your telnet sessions Look on page 4 configuring wrappers.

The portion for sshd is a different matter, if the installed sshd is custom that does not include spurce, the only way to add sshd with wrappers, would be to install OpenSSL/OpenSSH configured --with-tcp-wrappers or similar ./configure --help for the OpenSSH compilation options.

I've not used AIX, so if you could be more specific to what it is you have a question on in the IBM document, I'd review and will try to answer/explain as best I can based on TCP wrapper implementation in similar circumstances under other OSs that did not provide TCP-wrapper functionality as provided by the vendor of the
OS, Solaris 5.6,5.7.
0
 
carlmdAuthor Commented:
Don't really have any questions on the implementation, jut where to get version of telnet and/or ssh that supports wrappers.
0
 
arnoldCommented:
ssh, openssh.org openssl.org you need openssl for the ssl library.
telnet/rlogin has been abbandoned long ago because of it insecurity.

adding the tcp_wrappers tcpd as described on page 4 of the pdf in the link you posted facilitates the adjustment of a telnet session/function on your server to enforce/enable tcp_wrapper functionality.

you seem to eighter ignore the option, or insist on an approach that might not be available.  have not looked at whether there is a telnet source that you could compile while incorporating tcp_wrappers.

lets say you have  150 pound crate that you need to move, your questions seem to persist along the line of how you can bulk up to move the crate versus using the tools already available to you to achieve the same goal.
0
 
carlmdAuthor Commented:
I am happy to listen if you have an alternative to tcp wrappers. I just can't find one.

To reiterate, I downloaded and built/compiled tcp wrappers, installed ssh and ssl from rpm's, and tested all. Based upon the pdf document it appears that neither telnet that came with the AIX OS, or ssh installed from the rpm, have support for wrappers. I created all config files, modified inetd.conf and tested wrappers with both. They just don't work, as I would expect without the stated support for wrappers.

Not sure what you mean by "tools already available to you" but if you referring to something other than tcp wrappers, please explain.
0
 
arnoldCommented:
First, thing first, replace /usr/sbin/telnetd with /usr/sbin/tcpd in your /etc/inetd.conf
This will convert and make your telnet sessions tcp_wrapper enforced when you add the entries in /etc/hosts.deny and /etc/hosts.allow with the rules you want enforced.

run the strings sshd as suggested in the write-up to see whether the RPM/Package you obtained has tcp_wrappers compiled in.
You can always get the source and compile the ssh and openssl items; enable during the configuration the options you want. --with-tcp-wrappers etc.
0
 
carlmdAuthor Commented:
Inted.conf already has the tcpd entry. I did that to test, this along with the hosts.deny and hosts.allow

sshd does not have tcp_wrappers compiled in, already check that.

I will look for source for ssl and ssh and see how that works out.
0
 
arnoldCommented:
Ok, so your remaining outstanding issue is add an sshd daemon with tcp_wrapper support.

Make sure when configuring use --prefix=/usr/local --with-tcp_wrappers to make sure you would not overwrite the included sshd.
0
 
carlmdAuthor Commented:
I was hoping for a different solution but obviously there was no easy one.

Currently building openssh.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now