You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

TCP wrappers not supported in sshd?

It seems that support for tcp wrappers is not compiled into the sshd service for Mountain Lion. sshd ignores the contents of the "/etc/hosts.deny" file, that for example "denyhosts" produces. Why is this do you think, and is there some workaround? Seems like tcp wrappers have been supported forever, before Mountain Lion.

OS X Mountain Lion (10.8)

Posted on Sep 4, 2012 2:10 PM

9 replies

Oct 29, 2018 1:04 AM in response to Linc Davis

Yes denyhosts runs fine, but sshd ignores the resulting /etc/hosts.deny file. Have you tested to put in your own IP address manually in the hosts.deny file and then ssh to that address? In my case at least I'm not blocked at all. Also in the log file I see hundred of entries of ssh attempts from the same host.


Have you some special setting in sshd_config?

Sep 28, 2012 9:16 AM in response to Linc Davis

I've been using DenyHosts under 10.7 as well and upon discovering that Apple didn't include the libwrap libraries in 10.8 I attempted to go the MacPorts route as well. However, has anyone found the latest OpenSSH port from MacPorts to work under 10.8? A fresh install for me results in the follow error when I attempt to ssh into the system:


sshd[38257]: fatal: ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261): image not found [preauth]


I posted a ticket to MacPorts but so far answer/fix.


I am just looking for anyone that can confirm/deny a problem with that port. There are no user forums for MacPorts. :-(


I also look into the PF approach suggested by Linc (thanks!).

Sep 28, 2012 11:14 AM in response to Linc Davis

I consider this a really cheesy and hopefully very temporary workaround. It may not be recommended, use at your own risk, your universe may collapse into a black hole, etc., etc. But it worked. 😉


If you still have a 10.7 install on another volume, you can copy the old sshd binary and missing libwrap library file to your 10.8 boot disk and run it. Quick and dirty run down (this is not detailed for those not versed in command line):


Pre) Make sure you stop the default sshd daemon via the sharing control panel. (Uncheck "Remote login.) Otherwise you will have a conflict on port 22 when you try to start the old.

1) Mount the 10.7 volume. For my example I'll call mine "Mac 10.7 HD"

2) sudo cp /Volumes/"Mac 10.7 HD"/usr/lib/libwrap.7.dylib /usr/lib/.

3) sudo cp /Volumes/"Mac 10.7 HD"/usr/sbin/sshd /usr/sbin/sshd2 (or "sshd-old" or whatever you like, just don't overwrite the exisitng sshd or you won't be able to revert later.)

4) sudo /usr/sbin/sshd2 (start the daemon)


Note you can't use the sharing control panel to control this version and if you wanted it start between reboots you would have to create a separate launchctl script for it.


Linc, another good lead, thanks. I probably should be spending my time looking around for alternatives than hacking away at my install. 😝

TCP wrappers not supported in sshd?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.