Solved

Need a version of telnet and/or ssh that supports tcp wrappers on AIX 5.1

Posted on 2016-10-19
16
51 Views
Last Modified: 2016-10-25
I have an older system that is running AIX 5.1. It has installed telnet and ssh, but neither has wrapper support. I want to use tcp wrappers to control access to both, but have been unable to find a version of either telnet or ssh that has support for it. I have tcp wrappers installed and I believe it will work if I can get either in a version with wrapper support.

Does anyone know how to obtain a version or either telnet or ssh that will support wrappers. My search of IBM and other sites has not come up with anything.

thanks...
0
Comment
Question by:carlmd
  • 8
  • 8
16 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 41850145
Not specifically for six, usually telnet in /etc/inetd.conf you put the TCP wrapper tcpd binary with the in.telnetd ......... Tcpd will do the tcpwrspper functionality.

For sshd, it needed to be recompiled if tcp_wrappers option was not already included.

try strings sshd | grep wrapper
Adding sshd: ip or ip range in hosts.allow
Then adding sshd:all  in /etc/hosts.deny
And see if that works.
0
 
LVL 20

Author Comment

by:carlmd
ID: 41850177
I did the strings command on both telnet and ssh and neither have wrapper support. From what I read, evidently either must be built with wrapper support.

I did modify inted.conf and replaced tcp6 with tcp, and telnetd with tcpd. I also have a hosts.deny file that passes the check program, and have refreshed inetd. But, unfortunately it does not work.

So that is why I am on a hunt for a version of telnet or ssh that supports wrappers.
0
 
LVL 76

Expert Comment

by:arnold
ID: 41850189
Not sufficiently familiar with aIX to know what should be.
In other systems I've used from Solaris, Linux in various flavors, sshd had to be recomiled (OpenSSH used as the alternative)
However, for telnet, and other Inetd based connections, one had to get the tcp_wrappers library compile, install it and use the tcpd that is part of the tcp_wrapper, as the command preceding the service/component in /etc/inetd.conf

Telnet /usr/local/bin/tcpd /usr/sbin/in.telnetd as an example
0
 
LVL 20

Author Comment

by:carlmd
ID: 41850196
Yes, you have to get and compile the tcp wrappers for AIX as well. I did that, but then found out that telnet must also have been compiled to support wrappers. Evidently the stock version for AIX5.1 does not have this support.
0
 
LVL 76

Expert Comment

by:arnold
ID: 41850456
Does your telnet launch from inetd.conf place tcpd from tcpwrapper before the telnet app.
This will convert the telnet to support tcp_wrapper.
Make sure to test by using the individually IP deny look at the messages/syslog for tcpwrspper events..
0
 
LVL 20

Author Comment

by:carlmd
ID: 41850480
Yes, and I have already done that. It will lauch telnet, but it is the version that does not support wrappers, so no allow/deny filtering takes place.
0
 
LVL 76

Expert Comment

by:arnold
ID: 41851181
I do not understand what you mean.
telnet by itself will not support wrappers,
when configuring the telnet within inetd you use the tcpd as the one that will be launch which will verify whether the connecting connection is authorized/validates at which point it will launch telnet. If it does not validate, tcpd will error out/close connection.......

i am unfamiliar with aix so lets say the following is the correct formating for an inetd.conf entry for telnet
telnet     stream  tcp6    nowait  root    /usr/sbin/tcpd /usr/sbin/in.telnetd      telnetd
the command is not in.telnet but actually '/usr/sbin/tcpd /usr/sbin/in.telnetd' tcpd makes the determination on whether the telnet session proceeds

Hope this clarifies things, sorry, but the formatting might be incorrect for AIX, look at inetd.conf and post the line for telnet, and I will provide the alternative and see if that works,
one option could be to use a different port for testing to avoid locking you access out..
0
 
LVL 20

Author Comment

by:carlmd
ID: 41851773
Take a look at the first section of the following for an explanation about wrapper support.

https://www.ibm.com/developerworks/aix/library/au-tcpwrapper/
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 76

Expert Comment

by:arnold
ID: 41851928
Yes, I am aware of tcp wrappers, the document includes an example on how you would change the inetd.conf file to secure your telnet sessions Look on page 4 configuring wrappers.

The portion for sshd is a different matter, if the installed sshd is custom that does not include spurce, the only way to add sshd with wrappers, would be to install OpenSSL/OpenSSH configured --with-tcp-wrappers or similar ./configure --help for the OpenSSH compilation options.

I've not used AIX, so if you could be more specific to what it is you have a question on in the IBM document, I'd review and will try to answer/explain as best I can based on TCP wrapper implementation in similar circumstances under other OSs that did not provide TCP-wrapper functionality as provided by the vendor of the
OS, Solaris 5.6,5.7.
0
 
LVL 20

Author Comment

by:carlmd
ID: 41852724
Don't really have any questions on the implementation, jut where to get version of telnet and/or ssh that supports wrappers.
0
 
LVL 76

Expert Comment

by:arnold
ID: 41852772
ssh, openssh.org openssl.org you need openssl for the ssl library.
telnet/rlogin has been abbandoned long ago because of it insecurity.

adding the tcp_wrappers tcpd as described on page 4 of the pdf in the link you posted facilitates the adjustment of a telnet session/function on your server to enforce/enable tcp_wrapper functionality.

you seem to eighter ignore the option, or insist on an approach that might not be available.  have not looked at whether there is a telnet source that you could compile while incorporating tcp_wrappers.

lets say you have  150 pound crate that you need to move, your questions seem to persist along the line of how you can bulk up to move the crate versus using the tools already available to you to achieve the same goal.
0
 
LVL 20

Author Comment

by:carlmd
ID: 41852828
I am happy to listen if you have an alternative to tcp wrappers. I just can't find one.

To reiterate, I downloaded and built/compiled tcp wrappers, installed ssh and ssl from rpm's, and tested all. Based upon the pdf document it appears that neither telnet that came with the AIX OS, or ssh installed from the rpm, have support for wrappers. I created all config files, modified inetd.conf and tested wrappers with both. They just don't work, as I would expect without the stated support for wrappers.

Not sure what you mean by "tools already available to you" but if you referring to something other than tcp wrappers, please explain.
0
 
LVL 76

Expert Comment

by:arnold
ID: 41852990
First, thing first, replace /usr/sbin/telnetd with /usr/sbin/tcpd in your /etc/inetd.conf
This will convert and make your telnet sessions tcp_wrapper enforced when you add the entries in /etc/hosts.deny and /etc/hosts.allow with the rules you want enforced.

run the strings sshd as suggested in the write-up to see whether the RPM/Package you obtained has tcp_wrappers compiled in.
You can always get the source and compile the ssh and openssl items; enable during the configuration the options you want. --with-tcp-wrappers etc.
0
 
LVL 20

Author Comment

by:carlmd
ID: 41853487
Inted.conf already has the tcpd entry. I did that to test, this along with the hosts.deny and hosts.allow

sshd does not have tcp_wrappers compiled in, already check that.

I will look for source for ssl and ssh and see how that works out.
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 41853800
Ok, so your remaining outstanding issue is add an sshd daemon with tcp_wrapper support.

Make sure when configuring use --prefix=/usr/local --with-tcp_wrappers to make sure you would not overwrite the included sshd.
0
 
LVL 20

Author Closing Comment

by:carlmd
ID: 41858894
I was hoping for a different solution but obviously there was no easy one.

Currently building openssh.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Secure Shell (SSH) is a network protocol for secure data communication, mainly used to administer remote Unix / Linux servers via command line. But it also allows the user to open a secure tunnel between a client and a server where he can send any k…
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now