[CentOS] Re: Re: Re: Re: Re: Re: What libs req'dto resolveDNSwithinachrootjail?

Tue Jan 15 23:34:00 UTC 2008
Eric B. <ebenze at hotmail.com>

>>>> Again, I have concerns that I might be missing something in
>>>> my chroot jail, but when I change my hosts.allow file to read
>>>> the following, it works fine.
>>>> in.tftpd: 192.168.3.103 : allow
>>>>
>>>> So I am utterly and totally confused.  I keep thinking that
>>>> there must be something DNS related that I need in the chroot
>>>> jail that I am missing.
>>>> I do have a /chroot/tftpd/etc/resolv.conf with the nameserver
>>>> entry that points to the DNS server, and all files in my
>>>> /chroot/tftpd/etc dir are world readable.  I also have a
>>>> /chroot/tftpd/etc/hosts file (that is pretty much empty -
>>>> just a line for 127.0.0.1).
>>>>
>>>> # ls -l /chroot/tftpd/etc
>>>> -rw-r--r--  1 root root   148 Jan 14 17:53 hosts
>>>> -rw-r--r--  1 root root   417 Jan 14 17:37 hosts.allow
>>>> -rw-r--r--  1 root root   370 Jan 13 12:13 hosts.deny
>>>> -rw-r--r--  1 root root  1267 Jan 12 21:43 localtime
>>>> -rw-r--r--  1 root root  1686 Jan 12 15:50 nsswitch.conf
>>>> -rw-r--r--  1 root root    86 Jan 14 17:52 resolv.conf
>>>> -rw-r--r--  1 root root 20373 Jan 12 15:47 services
>>>>
>>>>
>>>> Is there anything else I need that I am missing?  Either
>>>> config file or lib?
>>>>
>>>> Any suggestions of things I can try?
>>>>
>>>> Thanks,
>>>>
>>>> Eric
>>>>
>>> Something I found:
>>>
>>> 15.2.3.2. Access Control
>>>
>>> Option fields also allow administrators to explicitly allow or deny
>>> hosts in a single rule by adding the allow or deny directive as the
>>> final option.
>>>
>>> For instance, the following two rules allow SSH connections from
>>> client-1.example.com, but deny connections from client-2.example.com:
>>>
>>> sshd : client-1.example.com : allow
>>> sshd : client-2.example.com : deny
>>>
>>> By allowing access control on a per-rule basis, the option field allows
>>> administrators to consolidate all access rules into a single file:
>>> either hosts.allow or hosts.deny. Some consider this an easier way of
>>> organizing access rules.
>>>
>>> Conceivably, you could put all rules into one file (hosts.allow maybe).
>>> See if that helps..
>>
>> Just tried putting everything in the hosts.allow but didn't make any 
>> difference.  Tried also in the hosts.deny bu no success either.
>>
>> Where did you find that reference?  What does 15.2.3.2 point to?
>>
>> Any other ideas / theories?
>>



> - make sure tftpd is really using the in.tftpd name (you said it works 
> with IPs?)

Yes. It works with the IPs, so I am somewhat sure that the daemon name in 
hosts.allow/deny is right and that I am editing the correct hosts.allow/deny 
files.  When I change the IP in those files, I get the responses that I 
expect (either access allowed or denied).

> - make sure it does resolve the IP correctly. I have no idea how you could 
> test this.
Me neither.  That's the problem.  I have no idea how I can test that the 
daemon is resolving it properly.


> but what is the benefit in managing the zone file instead of hosts.*? I 
> mean, since you put the IP in the DNS zone file, why not put it in 
> hosts.*?

Looks like I prob. won't have a choice afterall.  But was originally 
thinking that it would neater and easier to read by have FQDN in teh hosts.* 
file.  Plus, it also means I only need to update things in one place (DNS) 
if/when my server changes IPs....  Like this I would need to update DNS and 
remember to update my hosts.* files....


Tx,

Eric