View Single Post
  #8   (View Single Post)  
Old 10th November 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,446

While I don't use hosts_access myself, something you wrote above just caught my eye:
I read that hosts.allow need to see a new line character.
Say, what!!!??!!

OK. I'm going to take a wild guess that you have done some manual edit gyrations with your hosts.* files to add control characters, and that is the root cause of your problem.

Text editors (vi, mg, emacs, vim, ... and the bazillion X-based ones) on Unix-like systems will automatically place newline bytes at the end of a line. As will echo(1), typically used with > or >> in a shell to put text in a file.

It's just a guess, of course.


Now, I don't use hosts_access. Never have, never will. If I want to filter any packets, in -or- out, by IP address, I use PF. That is common practice, best practice, and my recommendation.

PF is most commonly used when OpenBSD is deployed as a router/firewall, but you can use it on destination servers and on workstations. The PF User's Guide, which is part of the FAQ, starts here.


There are many choices for authentication. Both Pubic Key and Challenge/Response (used with s/key) are enabled by default, and I use both. I prefer PKA, because with SSH it is easy and simple to use.
As an example, with OpenSSH's PKA tools, I could give you, and only you, shell access to a server of mine by trading information in this thread, publicly. You would create a key pair on your machine. One key is public, the other, private. You post the public key in the thread. I create an account that authorizes the ssh(1) client that uses that public key (matched mathematically to the private half you keep private), and give you the domain name or IP address of the server. No passwords are shared. Nothing passed between us in private. That public key is tied to your private key, which you keep. Only someone with that private key-half is authorized to use the account, as the authentication is two-way, requiring mathematical proof you have the private key.

You can also protect the key pair with a pass phrase, which should meet any commercial security standards for authentication: two things are needed to log in: 1) something you have -- the private key, and 2) something you know -- the matching passphrase.
I also use s/key, for times where I do not have a private key available -- public computers, other people's computers, whatever. I do not fear keyloggers, even in public settings, because each login requires a unique passphrase. It's a one-time-use pad. I won't type anything private while on them, while logged in, for fear of those keyloggers. But the login? No worries.
Reply With Quote