Can't login via SSH

Daniel Bye freebsd-questions at slightlystrange.org
Tue Apr 25 16:49:41 UTC 2006 

On Tue, Apr 25, 2006 at 09:20:38AM -0700, Kris Anderson wrote:
> 
> 
> --- Jose Borquez <bsdlists at sbcglobal.net> wrote:
> 
> > I attempt to establish an ssh connection to a remote
> > server and I get 
> > the following error:
> > "ssh_exchange_identification: Connection closed by
> > remote host"
> > 
> > I have checked the hosts.allow file and Everything
> > is allowed by 
> > default.  What else can I check?
> > Thanks in advance,
> Jose,
> hosts.allow is only half the story. Check your
> hosts.deny. I am currently working on a script that
> futzes with the hosts.deny file and occasionally
> something happens in the file. I've tested and tested
> and everytime I remove a particular line from
> hosts.deny all is well. Go figure.
> 
> Not sure if your hosts.deny file has stuff in it, but
> if it does make a backup of it then empty it out. You
> should be able to connect. If you can connect then add
> one line at a time to your hosts.deny then try
> establishing a newly authenticated session  until you
> can't. Oddly one of two things, you'll either get
> blocked immediately or all works and at some later
> time suddenly you can't connect.

For quite some time now, hosts.deny has been deprecated and its
functionality conflated with that of hosts.allow.  If you want to
maintain a separate file for denied addresses, it should be included in
your hosts.allow with the following syntax:

sshd : /etc/hosts.deniedssh : deny

The file /etc/hosts.deniedssh contains only valid hosts_options(5)
address specifications, which are expanded into the rule each time it is
checked.

Of course, the mere fact of hosts.deny's deprecation does not mean it
won't work, but in general, if you don't have an extant hosts.deny, you
are better off using the more modern, presumably better supported,
style rather than deliberately setting up an already obsolescent
configuration.

In your case, Kris, I can see that it should make your script rather
simpler to implement - you need only write addresses to the deny file,
rather than a more complete rule.  YMMV, and all that.

Dan

-- 
Daniel Bye

PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc
PGP Key fingerprint: D349 B109 0EB8 2554 4D75  B79A 8B17 F97C 1622 166A
                                                                     _
                                              ASCII ribbon campaign ( )
                                         - against HTML, vCards and  X
                                - proprietary attachments in e-mail / \
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060425/40258c28/attachment.pgp

More information about the freebsd-questions mailing list