diff options
Diffstat (limited to 'usr/src/man/man8/tcpd.8')
| -rw-r--r-- | usr/src/man/man8/tcpd.8 | 115 |
1 files changed, 115 insertions, 0 deletions
diff --git a/usr/src/man/man8/tcpd.8 b/usr/src/man/man8/tcpd.8 new file mode 100644 index 0000000000..7d8571fbec --- /dev/null +++ b/usr/src/man/man8/tcpd.8 @@ -0,0 +1,115 @@ +'\" t +.\" +.\" Modified for Solaris to to add the Solaris stability classification, +.\" and to add a note about source availability. +.\" +.TH TCPD 8 "Sep 15, 2011" +.SH NAME +tcpd \- access control facility for internet services +.SH DESCRIPTION +.PP +The \fItcpd\fR program can be set up to monitor incoming requests for +\fItelnet\fR, \fIfinger\fR, \fIftp\fR, \fIexec\fR, \fIrsh\fR, +\fIrlogin\fR, \fItftp\fR, \fItalk\fR, \fIcomsat\fR and other services +that have a one-to-one mapping onto executable files. +.PP +The program supports both 4.3BSD-style sockets and System V.4-style +TLI. Functionality may be limited when the protocol underneath TLI is +not an internet protocol. +.PP +Operation is as follows: whenever a request for service arrives, the +\fIinetd\fP daemon is tricked into running the \fItcpd\fP program +instead of the desired server. \fItcpd\fP logs the request and does +some additional checks. When all is well, \fItcpd\fP runs the +appropriate server program and goes away. +.PP +Optional features are: pattern-based access control, client username +lookups with the RFC 931 etc. protocol, protection against hosts that +pretend to have someone elses host name, and protection against hosts +that pretend to have someone elses network address. +.SH LIBWRAP INTERFACE +The same monitoring and access control functionality provided by the +tcpd standalone program is also available through the libwrap shared +library interface. Some programs, including the Solaris inetd daemon, +have been modified to use the libwrap interface and thus do not +require replacing the real server programs with tcpd. The libwrap +interface is also more efficient and can be used for inetd internal +services. See +.BR inetd (8) +for more information. +.SH LOGGING +Connections that are monitored by +.I tcpd +are reported through the \fIsyslog\fR(3) facility. Each record contains +a time stamp, the client host name and the name of the requested +service. The information can be useful to detect unwanted activities, +especially when logfile information from several hosts is merged. +.PP +In order to find out where your logs are going, examine the syslog +configuration file, usually /etc/syslog.conf. +.SH ACCESS CONTROL +Optionally, +.I tcpd +supports a simple form of access control that is based on pattern +matching. The access-control software provides hooks for the execution +of shell commands when a pattern fires. For details, see the +\fIhosts_access\fR(5) manual page. +.SH HOST NAME VERIFICATION +The authentication scheme of some protocols (\fIrlogin, rsh\fR) relies +on host names. Some implementations believe the host name that they get +from any random name server; other implementations are more careful but +use a flawed algorithm. +.PP +.I tcpd +verifies the client host name that is returned by the address->name DNS +server by looking at the host name and address that are returned by the +name->address DNS server. If any discrepancy is detected, +.I tcpd +concludes that it is dealing with a host that pretends to have someone +elses host name. +.PP +If the sources are compiled with -DPARANOID, +.I tcpd +will drop the connection in case of a host name/address mismatch. +Otherwise, the hostname can be matched with the \fIPARANOID\fR wildcard, +after which suitable action can be taken. +.SH HOST ADDRESS SPOOFING +Optionally, +.I tcpd +disables source-routing socket options on every connection that it +deals with. This will take care of most attacks from hosts that pretend +to have an address that belongs to someone elses network. UDP services +do not benefit from this protection. This feature must be turned on +at compile time. +.SH RFC 931 +When RFC 931 etc. lookups are enabled (compile-time option) \fItcpd\fR +will attempt to establish the name of the client user. This will +succeed only if the client host runs an RFC 931-compliant daemon. +Client user name lookups will not work for datagram-oriented +connections, and may cause noticeable delays in the case of connections +from PCs. +.PP +Warning: If the local system runs an RFC 931 server it is important +that it be configured NOT to use TCP Wrappers, or that TCP Wrappers +be configured to avoid RFC 931-based access control for this service. +If you use usernames in the access control files, make sure that you +have a hosts.allow entry that allows the RFC 931 service (often called +"identd" or "auth") without any username restrictions. Failure to heed +this warning can result in two hosts getting in an endless loop of +consulting each other's identd services. +.SH EXAMPLES +.\" Begin Sun update +.SH ATTRIBUTES +See +.BR attributes (7) +for descriptions of the following attributes: +.sp +.TS +box; +c | c +l | l . +ATTRIBUTE TYPE ATTRIBUTE VALUE += +Interface Stability Committed +.TE +.\" End Sun update |