TCP Wrappers Release Notes HP-UX 11i v1 Manufacturing Part Number: 5991-4837 December 2005 U.S.A. © Copyright 2005 Hewlett-Packard Development Company L.P.
Legal Notices The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Printed in the United States Confidential computer software. Valid license from HP required for possession, use or copying.
Contents 1. What’s in This Version TCP Wrapper Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 TCP Wrapper Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 What’s in This Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 4
1 What’s in This Version The TCP Wrappers product suite provides an enhanced security mechanism for various services spawned by the Internet Services daemon (inetd). TCP Wrappers is available on HP-UX 11i v1 operating system as a Web upgrade.
What’s in This Version TCP Wrapper Features TCP Wrapper Features The following are the features of TCP Wrappers: TCP Wrapper Overview The Internet Super Server, inetd allows a single process to be waiting for multiple services instead of one process for each service. Whenever a connection is established with inetd for a service, inetd runs the appropriate server program specified in /etc/inetd.conf and waits for other connections.
What’s in This Version TCP Wrapper Features — The /etc/hosts.allow file is checked first. If a daemon-client pair matches an entry in this file, access will be granted. — The /etc/hosts.deny file is checked. If a daemon-client pair matches an entry in this file, access will be denied. — If no daemon-client pair match was found in either of the access control files, access will be granted.
What’s in This Version TCP Wrapper Features • Client Username Lookups tcpd provides information about the owner of the client-side TCP connection using the RFC931 protocol. By default, client username lookup is disabled. If it is enabled through the configuration file /etc/tcpd.conf, tcpd assumes that the client requesting the service supports a RFC931-compliant daemon (like IDENT), running on it.
What’s in This Version TCP Wrapper Features For the rlogind service, a null character (\0) must be placed at the beginning of the rlogind banner file, as specified in the following example: # echo "\0 Text to demonstrate the banners" > rlogind # echo " option in tcpd(1M)." >> rlogind Configuration TCP Wrappers on HP-UX uses the /etc/tcpd.conf configuration file. This file can be used to set time-out on client username lookups, log level, and action to be taken in case of reverse lookup failure.
What’s in This Version TCP Wrapper Features NOTE If the above entry is specified without the absolute path of telnetd (/usr/lbin/telnetd), tcpd looks for the telnetd binary in /usr/lbin/wrapper directory. 2. In order to monitor the access to a service, move the original service daemon to the /usr/lbin/wrapper directory and move tcpd in place of the original service daemon. No changes are required to the /etc/inetd.conf file.
What’s in This Version TCP Wrapper Features This API initializes the request_info structure with information about the client request. — request_set() This API updates an initialized request_info structure. Both request_init() and request_set() APIs take the request_info structure and a variable-length list of key-value pairs as input parameters and return the first argument which is the request_info structure defined in the tcpd.h header file. The argument lists are terminated with a zero key value.
What’s in This Version TCP Wrapper Features tcpdchk examines the tcp wrapper configuration and reports all potential and real problems it can encounter. The program examines the tcpd access control files (by default, these are /etc/hosts.allow and /etc/hosts.deny), and compares the entries in these files against the entries in the /etc/inetd.conf file.
What’s in This Version TCP Wrapper Features /usr/bin/tcpdmatch [-d] [-i inet_conf] daemon@[server] [user@]client The second syntax can be used when your server has more than one address or name. Where “daemon” is a daemon process name. “client” is a host name or network address, or one of the ‘unknown’ or ‘paranoid’ wildcard patterns.
What’s in This Version TCP Wrapper Features try-from is a utility program that can be used to identify the end-point details related to a connection. This program must be called via a remote shell command as given below to find out if the hostname and the address are properly recognized, and also if the username lookup works.
What’s in This Version TCP Wrapper Features # /usr/bin/safe_finger -l @xyz.abc.def.com This command prints the user information on the remote host “xyz.abc.def.com”. HP recommends using this program in the implementation of Traps in the access control language of /etc/hosts.allow and /etc/hosts.deny. NOTE Refer to hosts_access(5) man page for more information on setting Traps.
What’s in This Version TCP Wrapper Features 16 Chapter 1
2 Installation Information Read this chapter before installing the TCP Wrappers web upgrade on your system.
Installation Information System Requirements System Requirements The following are the system requirements to install TCP Wrappers: 18 • Hewlett-Packard 9000 computer • HP-UX operating system version 11i Chapter 2
Installation Information Installing TCP Wrappers Installing TCP Wrappers TCP Wrappers is available as a web release on HP-UX 11i platform from HP’s software depot at www.software.hp.com. After downloading the software package, use the swinstall command to install the package on your system. Detailed information on how to configure and use TCP Wrappers can be found in the respective man pages. Install the web upgrade as per the following steps: 1. Run the following command on the command line.
Installation Information Installing TCP Wrappers 20 Chapter 2
3 Documentation The following product documentation is available with this release of TCP Wrappers.
Documentation TCP Wrappers Information TCP Wrappers Information The following man pages are distributed with the TCP Wrappers depot available at www.software.hp.com: 1. tcpd(1M) This man page describes the tcpd program used to enforce access control for services spawned by inetd. 2. tcpdmatch(1) This man page discusses the functioning of the tcpdmatch utility program. 3. tcpdchk(1) This man page discusses the tcpdchk program, which is used to check the tcp wrapper configuration. 4.
4 Known Problems and Limitations This chapter discusses the known problems and limitations in this release of TCP Wrappers.
Known Problems and Limitations Known Problems Known Problems There are no known problems in this release of TCP Wrappers.
Known Problems and Limitations Limitations Limitations The following are the limitations in this release of TCP Wrappers: Chapter 4 • When a new request comes in, the UDP (rpc/udp) daemons linger around for a while after servicing the request.In the /etc/inetd.conf file, these daemons are registered with the ‘wait’ option. The nowait option is not supported. Only the request which started such a daemon will be seen by the wrappers. • The wrappers do not work with RPC services over TCP.
Known Problems and Limitations Limitations 26 Chapter 4
