 |
» |
|
|
|
The TCP Wrappers product suite contains the following files: The libwrap.a Library API
The
tcpd Daemon | |
The tcpd daemon monitors access to a service, logs the
host name and the remote user name owning the connection, and performs
some additional access control checks. After tcpd checks the connection, the wrapper invokes the
desired server program and exits. You can use either of the following methods to enable tcpd: Edit each entry in the /etc/inetd.conf file to include the tcpd server program, /usr/lbin/tcpd. The server program field in the /etc/inetd.conf file indicates the absolute path name of the server that inetd executes. For example, consider the following
entry for the telnet service in the /etc/inetd.conf file: telnet stream tcp nowait root /usr/lbin/telnetd telnetd |
Edit this entry to include the tcpd server, /usr/lbin/tcpd instead of the telnet server, /usr/lbin/telnetd, as follows: telnet stream tcp nowait root /usr/lbin/tcpd /usr/lbin/telnetd telnetd |
| | | |  | NOTE: If you specify this entry without the absolute
path of telnetd (/usr/lbin/telnetd), tcpd searches the telnetd binary in the /usr/lbin/wrapper directory. | | | | |
The last component of the path name, /usr/lbin/telnetd telnetd, is used for access control and logging. When
the telnet service is requested, inetd invokes the tcpd server instead of invoking the telnet server. tcpd performs access control checks and verifies whether
the connection is valid. Then, it invokes the telnetd server. Similarly, you can change the entries
for other services to include the tcpd server. After making the relevant changes, you must reconfigure inetd using the following command on the command line: Move the service daemon to
the /usr/lbin/wrapper directory, and move tcpd to the location of the service daemon. You need
not make any changes to the /etc/inetd.conf file. For example, you can enable the
ftpd service with tcpd by executing the following commands at the command
prompt: # mkdir /usr/lbin/wrapper |
# mv /usr/lbin/ftpd /usr/lbin/wrapper |
When an ftp service is requested, inetd spawns the /usr/lbin/ftpd daemon which is actually the tcpd daemon. Then, tcpd performs access control checks before invoking
the ftpd daemon in the /usr/lbin/wrapper directory. For more information on tcpd configuration, type man 1M tcpd or man 4 tcpd.conf at the HP-UX prompt.
The
libwrap.a Library | |
The libwrap.a library provides a set of APIs for independent applications
to enforce host access control based on the files /etc/hosts.allow and /etc/hosts.deny files. The APIs implement a rule-based access
control language with optional shell commands, that are executed
when a rule is invoked. To enforce the host access control in an independent daemon,
a service must include the tcpd.h header file and link with the libwrap.a library APIs. The libwrap.a library contains the following APIs: request_init() Initializes the request_info structure with the client request information. request_set() Updates an initialized request_info structure.
Both the APIs request_init() and request_set() accept the request_info structure and a variable length list of key-value
pairs as input parameters; and, they return the request_info structure defined in the tcpd.h header file. The argument lists are terminated
with a zero key value. hosts_access() Reads the ACLs and returns either 1 or 0 indicating the access granted or denied, respectively. hosts_ctl() This API is a wrapper to the functions request_init() and hosts_access(). It accepts the daemon name, client host name, client
address, and user name as input parameters. The client host name,
address, and user name arguments must contain valid data or STRING_UNKNOWN
defined in the tcpd.h file. If the access is denied the hosts_ctl() API returns a value 0.
The following are the methods to implement access control
checks in a daemon program: Fill the
variable elements in the structure request_info using the routines request_init() and request_set(), and call the hosts_access() routine to verify these elements with the ACLs. Call the function
hosts_ctl() with appropriate input parameters to check with
the ACLs.
For more information on these APIs, type man 3 hosts_access at the HP-UX prompt. The
tcpdchk Tool | |
The tcpdchk tool performs the following functions: Examines
the validity of entries in the /etc/inetd.conf file and ACLs. Inspects the TCP wrapper
configurations and reports problems, if any. Checks the tcpd access control files (/etc/hosts.allow and /etc/hosts.deny), and compares the entries in these files with
the entries in the /etc/inetd.conf file.
You can run the tcpdchk tool on the command line as follows: /usr/bin/tcpdchk [-a] [-d] [-i inet_conf] [-v] |
where, - -a
Reports access control rules that grant access without an
explicit ALLOW keyword. - -d
Examines the files
/etc/hosts.allow and /etc/hosts.deny in the current directory instead of the default
directory. - -i inet_conf
Specifies a different location
for the configuration file inetd.conf instead of the default directory, /etc/inetd.conf. - -v
Displays the contents of
an access control rule, that is, the daemon list, client list, shell
command and option, in a printable format. This helps you to identify discrepancies
in the output.
For more information, type man 1 tcpdchk at the HP-UX prompt. The
tcpdmatch Tool | |
The tcpdmatch tool simulates the wrappers daemon program, and tcpd behavior for a particular host and service. tcpdmatch predicts how the TCP wrapper daemon handles a
specific service request. It examines the tcpd access control tables (/etc/hosts.allow and /etc/hosts.deny) and prints a report. For maximum accuracy, it
extracts additional information from the /etc/inetd.conf file. You can execute the tcpdmatch tool on the command line using the following formats: /usr/bin/tcpdmatch [-d] [-i inet_conf] daemon client |
/usr/bin/tcpdmatch [-d] [-i inet_conf] daemon@[server] [user@]client |
- daemon
Specifies a daemon name. - client
Specifies the host name, network address, or the unknown or paranoid wildcard formats. - server
Specifies a host name or network address or the unknown or paranoid wildcard formats. - user
Indicates a client user identifier, and specifies
a login name or address. The default user name is unknown.
You can use the first tcpd syntax when a server has more than one address
or name. Example 3-1 Sample
Usage of the tcpdmatch Tool The following example denotes how tcpd handles an ftp request from a local system: # tcpdmatch ftpd localhost |
If the host name lookup fails, the same request is handled
by tcpd as follows: # tcpdmatch ftpd 127.0.0.1 |
To determine what tcpd does when the client name and address do not match,
execute the following command at the command prompt: # tcpdmatch ftpd paranoid |
For more information on the tcpdmatch tool, type man 1 tcpdmatch, and for more information on wildcard patterns,
type man 5 hosts_access at the HP-UX prompt. The
try-from Utility | |
The try-from utility identifies the detailed information regarding
to a connection. This utility must be called via a remote shell
command to determine if the host name and the address are recognized
properly, and also if the user name lookup works. The try-from utility can be executed from the command line
as follows: # remsh host /usr/bin/try-from |
When the try-from utility is invoked, it prints the following output: client address (%a):
client hostname (%n):
client username (%u):
client info (%c):
server address (%A):
server hostname (%N):
server process (%d):
server info (%s): |
The client information describes how the remote host recognizes
the client in terms of an address, name, and user name, whereas,
the server information describes the remote host. For more information on % <letter> expressions, type man 5 hosts_access at the HP-UX prompt. The
safe_finger Program | |
safe_finger, a wrapper program to the finger client, protects the data sent by the remote finger server. This program accepts all the options supported
by the finger client. For more information, type man 1 finger at the HP-UX prompt. Following is an example of the safe_finger command: # /usr/bin/safe_finger -l @xyz.abc.def.com |
This command prints the user information on the remote host xyz.abc.def.com. HP recommends you to use this program to implement traps in
the access control language of the files /etc/hosts.allow and /etc/hosts.deny. For more information on setting traps, type man 5 hosts_access at the HP-UX prompt. |
Printable version
