hosts_access.5 (2010 09)
h
hosts_access(5) hosts_access(5)
%n(%N) The client (server) host name (or
unknown or paranoid).
%p The daemon process id.
%s Server information: daemon@host, daemon
@address, or just a daemon name, depending on
how much information is available.
%u The client user name (or unknown).
%% Expands to a single % character.
Characters in % expansions that do not match any alpha-numeric (
A-Za-z0-9
)or!@%-_=+:,./ char-
acters are replaced by underscores.
Server Endpoint Patterns
In order to distinguish clients by the network address that they connect to, use patterns of the form:
process_name
@host_pattern :client_list ...
Patterns like these can be used when the machine has different Internet addresses with different Internet
hostnames. Service providers can use this facility to offer FTP, GOPHER or WWW archives with Internet
names that may even belong to different organizations. See also the
twist option in hosts_options(5).
Some systems can have more than one Internet address on one physical interface. With other systems
you may have to resort to SLIP or PPP pseudo interfaces that live in a dedicated network address space.
The host_pattern conforms to the same syntax rules as host names and addresses in client_list context.
Usually, server endpoint information is available only with connection-oriented services.
Client Username Lookup
When the client host supports the RFC 931 protocol or one of its descendants (TAP, IDENT, RFC 1413),
the wrapper programs can retrieve additional information about the owner of a connection. The client
username information, when available, is logged together with the client host name and can be used to
match patterns like:
daemon_list
:... user_pattern @host_pattern ...
The daemon wrappers can be configured (in
/etc/tcpd.conf
) at run time to perform rule-driven user-
name lookups (default) or to always interrogate the client host. In the case of rule-driven username look-
ups, the above rule would cause username lookup only when both the daemon_list and the host_pattern
match.
A user pattern has the same syntax as a daemon process pattern, so the same wildcards apply (netgroup
membership is not supported). Username lookup needs to be evaluated carefully because of the following
limitations:
• The client username information cannot be trusted when it is needed most, i.e. when the client
system has been compromised. In general,
ALL and (UN)KNOWN are the only user name patterns
that make sense.
• Username lookups are possible only with TCP-based services, and only when the client host runs
a suitable daemon. In all other cases the result is "unknown".
• Username lookups may cause noticeable delays for non-UNIX users. The timeout value for user-
name lookups is configurable through
/etc/tcpd.conf. See the tcpd.conf (4) for more infor-
mation.
Selective username lookups can alleviate the last problem. For example, a rule like:
daemon_list
: @pcnetgroup ALL@ALL
would match members of the pc netgroup without doing username lookups, but would perform username
lookups with all other systems.
Detecting Address Spoofing Attacks
A flaw in the sequence number generator of many TCP/IP implementations allows intruders to easily
impersonate trusted hosts and to break in via; for example, the remote shell service. The IDENT
(RFC931 etc.) service can be used to detect such and other host address spoofing attacks.
Before accepting a client request, the wrappers can use the IDENT service to find out that the client did
not send the request at all. When the client host provides IDENT service, a negative IDENT lookup
result (the client matches UNKNOWN@host) is a strong evidence of host-spoofing attack.
HP-UX 11i Version 3: September 2010 − 3 − Hewlett-Packard Company 3