Again, I have concerns that I might be missing something in my chroot jail, but when I change my hosts.allow file to read the following, it works fine. in.tftpd: 192.168.3.103 : allow
So I am utterly and totally confused. I keep thinking that there must be something DNS related that I need in the chroot jail that I am missing. I do have a /chroot/tftpd/etc/resolv.conf with the nameserver entry that points to the DNS server, and all files in my /chroot/tftpd/etc dir are world readable. I also have a /chroot/tftpd/etc/hosts file (that is pretty much empty - just a line for 127.0.0.1).
# ls -l /chroot/tftpd/etc -rw-r--r-- 1 root root 148 Jan 14 17:53 hosts -rw-r--r-- 1 root root 417 Jan 14 17:37 hosts.allow -rw-r--r-- 1 root root 370 Jan 13 12:13 hosts.deny -rw-r--r-- 1 root root 1267 Jan 12 21:43 localtime -rw-r--r-- 1 root root 1686 Jan 12 15:50 nsswitch.conf -rw-r--r-- 1 root root 86 Jan 14 17:52 resolv.conf -rw-r--r-- 1 root root 20373 Jan 12 15:47 services
Is there anything else I need that I am missing? Either config file or lib?
Any suggestions of things I can try?
Thanks,
Eric
Something I found:
15.2.3.2. Access Control
Option fields also allow administrators to explicitly allow or deny hosts in a single rule by adding the allow or deny directive as the final option.
For instance, the following two rules allow SSH connections from client-1.example.com, but deny connections from client-2.example.com:
sshd : client-1.example.com : allow sshd : client-2.example.com : deny
By allowing access control on a per-rule basis, the option field allows administrators to consolidate all access rules into a single file: either hosts.allow or hosts.deny. Some consider this an easier way of organizing access rules.
Conceivably, you could put all rules into one file (hosts.allow maybe). See if that helps..
Just tried putting everything in the hosts.allow but didn't make any difference. Tried also in the hosts.deny bu no success either.
Where did you find that reference? What does 15.2.3.2 point to?
Any other ideas / theories?
- make sure tftpd is really using the in.tftpd name (you said it works
with IPs?)
Yes. It works with the IPs, so I am somewhat sure that the daemon name in hosts.allow/deny is right and that I am editing the correct hosts.allow/deny files. When I change the IP in those files, I get the responses that I expect (either access allowed or denied).
- make sure it does resolve the IP correctly. I have no idea how you could
test this.
Me neither. That's the problem. I have no idea how I can test that the daemon is resolving it properly.
but what is the benefit in managing the zone file instead of hosts.*? I mean, since you put the IP in the DNS zone file, why not put it in hosts.*?
Looks like I prob. won't have a choice afterall. But was originally thinking that it would neater and easier to read by have FQDN in teh hosts.* file. Plus, it also means I only need to update things in one place (DNS) if/when my server changes IPs.... Like this I would need to update DNS and remember to update my hosts.* files....
Tx,
Eric