Verify that OpenSSH works without tcp_wrappers and is not affected by its configuration by default
Make sure OpenSSH packages (client and server) are installed. Check that tcp_wrappers package is installed:
rpm -q openssh-server openssh-clients tcp_wrappers
How to test
- Check openssh server is NOT linked against libwrap:
ldd /usr/sbin/sshd |grep libwrap
- Make sure there is no allowing rule in
/etc/hosts.allow(the file contains only commented-out lines)
- Insert the following blocking rule in the
- Attempt to connect to localhost using ssh:
- Update SELinux policy packages from this build. Download
selinux-policy-targeted, install them
dnf update selinux-policy*.rpm
- Change SELinux boolen to allow tcpd to start sshd:
semanage boolean -m --on ssh_use_tcpd
- Configure the socket-activated sshd service with
tcpdas described in the change page, section "Migration to tcpd".
- Verify, that the connection is rejected with the configuration from step 3:
- Remove the blocking rule that we added in step 3 from
- Verify that you can connect successfully now:
The following must be true to consider this a successful test run. Be brief ... but explicit.
- Step #1 should not return anything
- Step #3 completes successfully (there is either password prompt or you are allowed in by public key authentication)
- Step #8 should reject the connection.
- Step #10 should connect successfully again (there is either password prompt or you are allowed in by public key authentication)
If you see some issues, investigate the logs in journal, make sure the services are running.
- If you have problems with
tcpd, try to run with SELinux in permissive mode or look for update of
selinux-policy. The bug #1482554 should be fixed in updates-testing by now.