Greetings: In -CURRENT, /usr/src/libexec/tcpd, the Makefile doesn't have -DPROCESS_OPTIONS needed which in hosts_access(5) manpage, allows things such as banners for the tcp_wrappers to be working. >From hosts_access(5): An extended version of the access control language is described in the hosts_options(5) document. The extensions are turned on at program build time by building with -DPROCESS_OPTIONS. In hosts_options(5): banners /some/directory Look for a file in `/some/directory' with the same name as the daemon process (for example in.telnetd for the telnet service), and copy its contents to the client. Newline characters are replaced by carriage-return newline, and %<letter> sequences are expanded (see the hosts_access(5) manual page). The tcp wrappers source code distribution provides a sample makefile (Banners.Makefile) for convenient banner maintenance. Warning: banners are supported for connection-oriented (TCP) network services only. As a example, in /etc/hosts.allow, I have the following line: telnet stream tcp nowait root /usr/libexec/tcpd /usr/libexec/telnetd Which with the tcp_wrappers port binary from a few years ago, it would do the following: Welcome [unknown_at_adsl-208-201-244-226.sonic.net] to ... ________ _____ _________ ______ _______ __________________________ ___ __ \___ | / /___ |___ / __ __ \__ ____/____ _/__ ____/ __ / / /__ |/ / __ /| |__ / _ / / /_ / __ __ / _ / _ /_/ / _ /| / _ ___ |_ /___/ /_/ / / /_/ / __/ / / /___ /_____/ /_/ |_/ /_/ |_|/_____/\____/ \____/ /___/ \____/ .NET [ bigbang.DNALOGIC.NET ] DNA Logic Corporation - http://www.DNALOGIC.NET San Francisco, California USA For assistance or information please e-mail root_at_bigbang.DNALOGIC.NET FreeBSD/i386 (bigbang.DNALOGIC.NET) (ttypb) login: The binary works but anything not defined in hosts.allow, it would completely skip the banner and give them the login prompt rather than not allow them to make it to the telnetd daemon like before. The tcpd built by -CURRENT does work correctly but the banners support is not enabled by default. In /usr/src/libexec/tcpd/Makefile, CFLAGS+=-DREAL_DAEMON_DIR=\"/usr/libexec\" \ -DSEVERITY=LOG_INFO -DRFC931_TIMEOUT=10 \ -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\" \ -DFACILITY=LOG_DAEMON In /usr/src/contrib/tcp_wrappers/README in section 4.5 and 4.7, it mentions: 4.5 - Language extensions ------------------------- The wrappers sport only a limited number of features. This is for a good reason: programs that run at high privilege levels must be easy to verify. And the smaller a program, the easier to verify. There is, however, a provision to add features. The options.c module provides a framework for language extensions. Quite a few extensions have already been implemented; they are documented in the hosts_options.5 document, which is in `nroff -man' format. Examples: changing the severity level at which a request for service is logged; "allow" and "deny" keywords; running a customized server instead of the standard one; many others. The language extensions are not enabled by default because they introduce an incompatible change to the access control language syntax. Instructions to enable the extensions are given in the Makefile. 4.7 - Banner messages --------------------- Some sites are required to present an informational message to users before they attempt to login. Banner messages can also be useful when denying service: instead of simply dropping the connection a polite explanation is given first. Finally, banners can be used to give your system a more personal touch. The wrapper software provides easy-to-use tools to generate pre-login banners for ftp, telnet, rlogin etc. from a single prototype banner textfile. Details on banners and on-the-fly %<letter> expansions are given in the hosts_options.5 manual page (`nroff -man' format). An example is given in the file Banners.Makefile. In order to support banner messages the wrappers have to be built with language extensions enabled. See the section on language extensions. In /usr/src/contrib/tcp_wrappers/Makefile, it mentions that the -DPROCESS_OPTIONS is needed for language extensions: ########################################### # Optional: Turning on language extensions # # Instead of the default access control language that is documented in # the hosts_access.5 document, the wrappers can be configured to # implement an extensible language documented in the hosts_options.5 # document. This language is implemented by the "options.c" source # module, which also gives hints on how to add your own extensions. # Uncomment the next definition to turn on the language extensions # (examples: allow, deny, banners, twist and spawn). # #STYLE = -DPROCESS_OPTIONS # Enable language extensions. So in the /usr/src/libexec/tcpd/Makefile, I added -DPROCESS_OPTIONS CFLAGS+=-DREAL_DAEMON_DIR=\"/usr/libexec\" \ -DSEVERITY=LOG_INFO -DRFC931_TIMEOUT=10 \ -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\" \ -DFACILITY=LOG_DAEMON \ -DPROCESS_OPTIONS However, the -DPROCESS_OPTIONS seems to have no effect after I replaced the tcpd and restarted inetd. When one telnets, it just goes to telnetd directly without going through the banners even though it denies access to those not defined in /etc/hosts.allow: FreeBSD/i386 (bigbang.DNALOGIC.NET) (ttypb) login: Cheers, Vince - vince_at_WURLDLINK.NET - Vice President ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] WurldLink Corporation / / / / | / | __] ] San Francisco - Honolulu - Hong Kong / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] Almighty1_at_IRC - oahu.DAL.NET Hawaii's DALnet IRC Network Server AdminReceived on Wed Jul 02 2003 - 16:30:08 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:13 UTC