X-Recipient: archive-cygwin AT delorie DOT com X-SWARE-Spam-Status: No, hits=-3.7 required=5.0 tests=AWL,BAYES_00,J_CHICKENPOX_54,J_CHICKENPOX_55,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: sourceware.org Message-ID: <495FB0A7.5000303@cwilson.fastmail.fm> Date: Sat, 03 Jan 2009 13:38:31 -0500 From: Charles Wilson User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.19) Gecko/20081209 Thunderbird/2.0.0.19 Mnenhy/0.7.5.666 MIME-Version: 1.0 To: cygwin AT cygwin DOT com Subject: Re: Openssh compatibility problem? References: <495F8758 DOT 9000002 AT makuch DOT org> <495F9091 DOT 9060305 AT cwilson DOT fastmail DOT fm> <495FAC6E DOT 90401 AT makuch DOT org> In-Reply-To: <495FAC6E.90401@makuch.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Michael Makuch wrote: > 1) On one occaision I found these with chmod 0; > > $ ls -l hosts.allow hosts.deny > ---------- 1 mkm None 434 Jan 3 11:49 hosts.allow > ----------+ 1 mkm None 225 Jan 3 00:38 hosts.deny > > I don't know how or why but this was on a fresh cygwin install, latest > bits DLd yesterday. I just re-confirmed a fresh install of cygwin > leaves these 2 files chmod 0. The default versions of these files are actually installed as: -rw-r--r-- etc/defaults/etc/hosts.allow -rw-r--r-- etc/defaults/etc/hosts.deny and are copied to /etc by the postinstall script, here: ====================== #!/bin/bash DEFAULTSDIR=/etc/defaults for fn in /etc/hosts.allow /etc/hosts.deny do if [ ! -f "${fn}" ] then cp "${DEFAULTSDIR}${fn}" "${fn}" fi done ======================= I have no explanation for the chmod 0 issue. It looks like a setup.exe bug, to me... > Without read perms it appears that sshd will not allow ssh to connect > from anywhere, local nor remote. With read perms things get better. > > 2) In some recent release the default hosts.allow has been modified to > > ALL : PARANOID : deny > sshd: ALL > > I am surmising that PARANOID is a relatively new feature and unsupported > by openssh 4.5 - I deduce this since when I remove PARANOID I can then > successfully ssh from openssh 4.5. In essence I would call this a > "compatibility" issue between this version of Cygwin and the older ones. Err...no. These are tcp_wrappers issues; sshd (whether 4.5, 5.1, or whatever) doesn't care. It simply asks the tcp wrapper library "is this incoming IP request OK?" and gets a yes/no answer. If your tcp_wrappers package installs a hosts.allow file that includes PARANOID, then your tcp_wrappers library supports PARANOID. End of story. The issue is what PARANOID actually DOES. It verifies that the incoming connection's name and IP match -- in both directions. That is, a dns lookup on the IP address gives a name, and a second DNS lookup on that name gives (possibly a list of) IP addresses, one of which better be the original IP. If there is a mismatch, then (a) there is a DNS misconfiguration, or (b) somebody is trying to spoof/hack you. In your case, I'd guess DNS misconfiguration. check: mtm AT plum $ nslookup plum mtm AT plum $ nslookup and see what that tells you. Also, mtm AT plum $ /usr/sbin/tcpdmatch plum should report useful info (both to syslog, and to the display). I recently posted an explanation of a "DNS misconfiguration" that is more-or-less built in to Windows Vista with regards to the name "localhost" -- which is why the default hosts.allow will soon include all : localhost 127.0.0.1 [::1] : allow as the first line. See http://cygwin.com/ml/cygwin/2008-12/msg00678.html -- Chuck -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/