X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-0.7 required=5.0 	tests=BAYES_40,DKIM_SIGNED,DKIM_VALID,RCVD_IN_DNSWL_LOW
X-Spam-Check-By: sourceware.org
Message-ID: <4BCCDA62.7040609@cwilson.fastmail.fm>
Date: Mon, 19 Apr 2010 18:34:10 -0400
From: Charles Wilson <cygwin AT cwilson DOT fastmail DOT fm>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.23) Gecko/20090812 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: Cygwin Mailing List <cygwin AT cygwin DOT com>
Subject: Re: tcp_wrappers sshd hosts.allow problem
References: <k2w6910a61004020418r95cf717lf0a5aa92284cc775 AT mail DOT gmail DOT com>
In-Reply-To: <k2w6910a61004020418r95cf717lf0a5aa92284cc775@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

[Sorry for the delay in responding; I actually replied
contemporaneously, but...I only sent it to myself/Bcc; it never went to
the list]

On 4/2/2010 7:18 AM, Reini Urban wrote:

> >  ALL : localhost 127.0.0.1/32 [::1]/128 : allow
> > -ALL : PARANOID : deny
> >  sshd: ALL
> > +ALL : PARANOID : deny
> >
> > sshd : ALL behind ALL PARANOID : deny is ignored, It must be before.
> > Symptom:
> >
> > debug1: fd 4 clearing O_NONBLOCK
> > debug1: Server will not fork when running in debugging mode.
> > debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
> > debug1: inetd sockets after dupping: 3, 3
> > debug1: Connection refused by tcp wrapper

Err...no.  The /etc/hosts.allow shipped by -21 does not differ (in this
respect) from the one shipped by -20 for the last year, nor from the one
shipped by -5 since 27 Apr 2008.

The solution to a failure due to PARANOID is not to remove it or
otherwise bypass it -- but to fix your local DNS.  If you can't do that,
THEN you can disable the PARANOID check, but just for your broken lan.
It's not a reason to suggest disabling the PARANOID check for everyone
by default.

Take a look at /var/log/messages, and see what tcpd is reporting there.

--
Chuck

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple