Solved

Need a version of telnet and/or ssh that supports tcp wrappers on AIX 5.1

Posted on 2016-10-19
16
104 Views
Last Modified: 2016-10-25
I have an older system that is running AIX 5.1. It has installed telnet and ssh, but neither has wrapper support. I want to use tcp wrappers to control access to both, but have been unable to find a version of either telnet or ssh that has support for it. I have tcp wrappers installed and I believe it will work if I can get either in a version with wrapper support.

Does anyone know how to obtain a version or either telnet or ssh that will support wrappers. My search of IBM and other sites has not come up with anything.

thanks...
0
Comment
Question by:carlmd
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 8
16 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 41850145
Not specifically for six, usually telnet in /etc/inetd.conf you put the TCP wrapper tcpd binary with the in.telnetd ......... Tcpd will do the tcpwrspper functionality.

For sshd, it needed to be recompiled if tcp_wrappers option was not already included.

try strings sshd | grep wrapper
Adding sshd: ip or ip range in hosts.allow
Then adding sshd:all  in /etc/hosts.deny
And see if that works.
0
 
LVL 20

Author Comment

by:carlmd
ID: 41850177
I did the strings command on both telnet and ssh and neither have wrapper support. From what I read, evidently either must be built with wrapper support.

I did modify inted.conf and replaced tcp6 with tcp, and telnetd with tcpd. I also have a hosts.deny file that passes the check program, and have refreshed inetd. But, unfortunately it does not work.

So that is why I am on a hunt for a version of telnet or ssh that supports wrappers.
0
 
LVL 78

Expert Comment

by:arnold
ID: 41850189
Not sufficiently familiar with aIX to know what should be.
In other systems I've used from Solaris, Linux in various flavors, sshd had to be recomiled (OpenSSH used as the alternative)
However, for telnet, and other Inetd based connections, one had to get the tcp_wrappers library compile, install it and use the tcpd that is part of the tcp_wrapper, as the command preceding the service/component in /etc/inetd.conf

Telnet /usr/local/bin/tcpd /usr/sbin/in.telnetd as an example
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 20

Author Comment

by:carlmd
ID: 41850196
Yes, you have to get and compile the tcp wrappers for AIX as well. I did that, but then found out that telnet must also have been compiled to support wrappers. Evidently the stock version for AIX5.1 does not have this support.
0
 
LVL 78

Expert Comment

by:arnold
ID: 41850456
Does your telnet launch from inetd.conf place tcpd from tcpwrapper before the telnet app.
This will convert the telnet to support tcp_wrapper.
Make sure to test by using the individually IP deny look at the messages/syslog for tcpwrspper events..
0
 
LVL 20

Author Comment

by:carlmd
ID: 41850480
Yes, and I have already done that. It will lauch telnet, but it is the version that does not support wrappers, so no allow/deny filtering takes place.
0
 
LVL 78

Expert Comment

by:arnold
ID: 41851181
I do not understand what you mean.
telnet by itself will not support wrappers,
when configuring the telnet within inetd you use the tcpd as the one that will be launch which will verify whether the connecting connection is authorized/validates at which point it will launch telnet. If it does not validate, tcpd will error out/close connection.......

i am unfamiliar with aix so lets say the following is the correct formating for an inetd.conf entry for telnet
telnet     stream  tcp6    nowait  root    /usr/sbin/tcpd /usr/sbin/in.telnetd      telnetd
the command is not in.telnet but actually '/usr/sbin/tcpd /usr/sbin/in.telnetd' tcpd makes the determination on whether the telnet session proceeds

Hope this clarifies things, sorry, but the formatting might be incorrect for AIX, look at inetd.conf and post the line for telnet, and I will provide the alternative and see if that works,
one option could be to use a different port for testing to avoid locking you access out..
0
 
LVL 20

Author Comment

by:carlmd
ID: 41851773
Take a look at the first section of the following for an explanation about wrapper support.

https://www.ibm.com/developerworks/aix/library/au-tcpwrapper/
0
 
LVL 78

Expert Comment

by:arnold
ID: 41851928
Yes, I am aware of tcp wrappers, the document includes an example on how you would change the inetd.conf file to secure your telnet sessions Look on page 4 configuring wrappers.

The portion for sshd is a different matter, if the installed sshd is custom that does not include spurce, the only way to add sshd with wrappers, would be to install OpenSSL/OpenSSH configured --with-tcp-wrappers or similar ./configure --help for the OpenSSH compilation options.

I've not used AIX, so if you could be more specific to what it is you have a question on in the IBM document, I'd review and will try to answer/explain as best I can based on TCP wrapper implementation in similar circumstances under other OSs that did not provide TCP-wrapper functionality as provided by the vendor of the
OS, Solaris 5.6,5.7.
0
 
LVL 20

Author Comment

by:carlmd
ID: 41852724
Don't really have any questions on the implementation, jut where to get version of telnet and/or ssh that supports wrappers.
0
 
LVL 78

Expert Comment

by:arnold
ID: 41852772
ssh, openssh.org openssl.org you need openssl for the ssl library.
telnet/rlogin has been abbandoned long ago because of it insecurity.

adding the tcp_wrappers tcpd as described on page 4 of the pdf in the link you posted facilitates the adjustment of a telnet session/function on your server to enforce/enable tcp_wrapper functionality.

you seem to eighter ignore the option, or insist on an approach that might not be available.  have not looked at whether there is a telnet source that you could compile while incorporating tcp_wrappers.

lets say you have  150 pound crate that you need to move, your questions seem to persist along the line of how you can bulk up to move the crate versus using the tools already available to you to achieve the same goal.
0
 
LVL 20

Author Comment

by:carlmd
ID: 41852828
I am happy to listen if you have an alternative to tcp wrappers. I just can't find one.

To reiterate, I downloaded and built/compiled tcp wrappers, installed ssh and ssl from rpm's, and tested all. Based upon the pdf document it appears that neither telnet that came with the AIX OS, or ssh installed from the rpm, have support for wrappers. I created all config files, modified inetd.conf and tested wrappers with both. They just don't work, as I would expect without the stated support for wrappers.

Not sure what you mean by "tools already available to you" but if you referring to something other than tcp wrappers, please explain.
0
 
LVL 78

Expert Comment

by:arnold
ID: 41852990
First, thing first, replace /usr/sbin/telnetd with /usr/sbin/tcpd in your /etc/inetd.conf
This will convert and make your telnet sessions tcp_wrapper enforced when you add the entries in /etc/hosts.deny and /etc/hosts.allow with the rules you want enforced.

run the strings sshd as suggested in the write-up to see whether the RPM/Package you obtained has tcp_wrappers compiled in.
You can always get the source and compile the ssh and openssl items; enable during the configuration the options you want. --with-tcp-wrappers etc.
0
 
LVL 20

Author Comment

by:carlmd
ID: 41853487
Inted.conf already has the tcpd entry. I did that to test, this along with the hosts.deny and hosts.allow

sshd does not have tcp_wrappers compiled in, already check that.

I will look for source for ssl and ssh and see how that works out.
0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 41853800
Ok, so your remaining outstanding issue is add an sshd daemon with tcp_wrapper support.

Make sure when configuring use --prefix=/usr/local --with-tcp_wrappers to make sure you would not overwrite the included sshd.
0
 
LVL 20

Author Closing Comment

by:carlmd
ID: 41858894
I was hoping for a different solution but obviously there was no easy one.

Currently building openssh.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Problem Imaging Computers With Clonezilla 2 98
Skill Development 15 194
SQUD PROXY SERVER, UNIX, SLL/HTTPS 5 116
aix unix tar error 3 82
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question