* Lennart Poettering: >> From my POV, it is kind of neat that you can grant access to *.enyo.de >> and deny every thing else. > > Binding access control to DNS sounds insecure like hell.. Additional restrictions are fine, for this purpose: >> This is quite helpful against scanners and worms, (And with DNSSEC, it wouldn't be so insecure anymore, you don't even need a secured reverse tree before it can be effective.) > OpenSSH can do this on its own without involving tcpwrap: > > https://raymii.org/s/tutorials/Limit_access_to_openssh_features_with_the_Match_keyword.html > > It sounds like a much better choice to stick to that instead of > involving tcpwrap, and we should push our users to understand that... The nice thing about tcpwrappers is that it runs extremely early, typically before any application code is exposed. Something in the guts of OpenSSH really isn't comparable. It's not immediately obvious how you'd block logins altogether. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
