Our migration from CCGB.UMN.EDU to CBRI.UMN.EDU bumps up against another configuration we take for granted. Our TCP wrappers are configured to allow our tightly integrated collection of systems to interoperate fairly freely.

This morning we received a call from one of our collaborators explaining he was no-longer able to access one of our web services. A quick test of all the servers involved showed all systems ready and produced no error. Moving to the protocol layer we found this:

ssh_exchange_identification: Connection closed by remote host

Pointing to the out of date TCP wrapper configuration. Corrected by adding ‘.kunaufamily.org’ to the sshd entry in the /etc/hosts.allow file on the execution host:

#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
sshd :   .cbri.umn.edu .ccgb.umn.edu

I understand another possible solution is to add:

host *
UsePrivilegedPort no

to the ‘config’ file in the master or the user level .ssh/ directory. I have chosen the more systemic approach and am in the process of updating the relevant hosts.allow files.

This also corrects a lingering Veritas connection issue for some of our LINUX based production servers.