MyWebUniversity.com Home Page
 



OpenSolaris man pages main menu 


Maintenance Commands                                     TCPD(1M)



NAME
     tcpd - access control facility for internet services

DESCRIPTION
     The tcpd program can be set up to monitor incoming  requests
     for telnet, finger, ftp, exec, rsh, rlogin, tftp, talk, com-
     sat and other services that have a one-to-one  mapping  onto
     executable files.

     The program supports both 4.3BSD-style  sockets  and  System
     V.4-style TLI.  Functionality may be limited when the proto-
     col underneath TLI is not an internet protocol.

     Operation is as follows:  whenever  a  request  for  service
     arrives,  the  inetd daemon is tricked into running the tcpd
     program instead of the desired server. tcpd logs the request
     and does some additional checks. When all is well, tcpd runs
     the appropriate server program and goes away.

     Optional features are: pattern-based access control,  client
     username  lookups with the RFC 931 etc. protocol, protection
     against hosts that pretend to have someone elses host  name,
     and  protection  against  hosts that pretend to have someone
     elses network address.

LIBWRAP INTERFACE
     The same monitoring and access  control  functionality  pro-
     vided  by  the  tcpd  standalone  program  is also available
     through the libwrap shared library interface. Some programs,
     including  the  Solaris inetd daemon, have been modified  to
     use the libwrap interface and thus do not require  replacing
     the real server programs with tcpd. The libwrap interface is
     also more efficient and can be used for inetd internal  ser-
     vices. See inetd(1M) for more information.

LOGING
     Connections that are monitored by tcpd are reported  through
     the  syslog(3)  facility. Each record contains a time stamp,
     the client host name and the name of the requested  service.
     The information can be useful to detect unwanted activities,
     especially when logfile information from  several  hosts  is
     merged.

     In order to find out where your logs are going, examine  the
     syslog configuration file, usually /etc/syslog.conf.

ACES CONTROL
     Optionally, tcpd supports a simple form  of  access  control
     that  is  based  on  pattern  matching.   The access-control
     software provides hooks for the execution of shell  commands
     when  a pattern fires.  For details, see the hostsaccess(4)
     manual page.



SunOS 5.10                Last change:                          1






Maintenance Commands                                     TCPD(1M)



HOST NAME VERIFICATION
     The authentication scheme of some  protocols  (rlogin,  rsh)
     relies  on host names. Some implementations believe the host
     name that they get from any random name server; other imple-
     mentations are more careful but use a flawed algorithm.

     tcpd verifies the client host name that is returned  by  the
     address->name  DNS  server  by  looking at the host name and
     address that are returned by the name->address  DNS  server.
     If  any  discrepancy  is detected, tcpd concludes that it is
     dealing with a host that pretends to have someone elses host
     name.

     If the sources are compiled with -DPARANOID, tcpd will  drop
     the  connection  in  case  of  a host name/address mismatch.
     Otherwise, the hostname can be  matched  with  the  PARANOID
     wildcard, after which suitable action can be taken.

HOST ADRES SPOFING
     Optionally, tcpd disables source-routing socket  options  on
     every  connection that it deals with. This will take care of
     most attacks from hosts that pretend to have an address that
     belongs  to someone elses network. UDP services do not bene-
     fit from this protection. This feature must be turned on  at
     compile time.

RFC 931
     When RFC 931 etc. lookups are enabled (compile-time  option)
     tcpd  will attempt to establish the name of the client user.
     This will succeed only if the client host runs an  RFC  931-
     compliant  daemon.   Client  user name lookups will not work
     for datagram-oriented connections, and may cause  noticeable
     delays in the case of connections from PCs.

     Warning: If the local system runs an RFC 931  server  it  is
     important  that it be configured NOT to use TCP Wrappers, or
     that TCP Wrappers  be  configured  to  avoid  RFC  931-based
     access  control  for  this service.  If you use usernames in
     the  access  control  files,  make  sure  that  you  have  a
     hosts.allow  entry  that  allows  the RFC 931 service (often
     called "identd" or "auth")  without  any  username  restric-
     tions.  Failure to heed this warning can result in two hosts
     getting in an endless loop of consulting each other's identd
     services.

EXAMPLES
ATRIBUTES
     See attributes(5) for descriptions of the  following  attri-
     butes:






SunOS 5.10                Last change:                          2






Maintenance Commands                                     TCPD(1M)



     
       ATRIBUTE TYPE     ATRIBUTE VALUE
    
     Availability         SUNWtcpd       
    
     Interface Stability  Committed      
    

NOTES
     Source for tcpwrappers is available in the SUNWtcpdS  pack-
     age.












































SunOS 5.10                Last change:                          3
OpenSolaris man pages main menu
Contact us      |       About us      |       Term of use      |       Copyright © 2000-2010 MyWebUniversity.com ™