From Fedora Project Wiki


Verify that OpenSSH works without tcp_wrappers and is not affected by its configuration by default


Make sure OpenSSH packages (client and server) are installed. Check that tcp_wrappers package is installed:

rpm -q openssh-server openssh-clients tcp_wrappers

How to test

  1. Check openssh server is NOT linked against libwrap: ldd /usr/sbin/sshd |grep libwrap
  2. Make sure there is no allowing rule in /etc/hosts.allow (the file contains only commented-out lines)
  3. Insert the following blocking rule in the /etc/hosts.deny: sshd: localhost
  4. Attempt to connect to localhost using ssh: ssh localhost
  5. Update SELinux policy packages from this build. Download selinux-policy and selinux-policy-targeted, install them dnf update selinux-policy*.rpm
  6. Change SELinux boolen to allow tcpd to start sshd: semanage boolean -m --on ssh_use_tcpd
  7. Configure the socket-activated sshd service with tcpd as described in the change page, section "Migration to tcpd".
  8. Verify, that the connection is rejected with the configuration from step 3: ssh localhost
  9. Remove the blocking rule that we added in step 3 from /etc/hosts.deny
  10. Verify that you can connect successfully now: ssh localhost

Expected Results

The following must be true to consider this a successful test run. Be brief ... but explicit.

  1. Step #1 should not return anything
  2. Step #3 completes successfully (there is either password prompt or you are allowed in by public key authentication)
  3. Step #8 should reject the connection.
  4. Step #10 should connect successfully again (there is either password prompt or you are allowed in by public key authentication)


If you see some issues, investigate the logs in journal, make sure the services are running.

  1. If you have problems with tcpd, try to run with SELinux in permissive mode or look for update of selinux-policy. The bug #1482554 should be fixed in updates-testing by now.