Re: heads up: tcpwrappers support going away

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 04/22/2014 09:33 AM, Damien Miller wrote:
> Hi,

Hi,

> This is an early warning: OpenSSH will drop tcpwrappers in the next
> release. sshd_config has supported the Match keyword for a long time
> and it is possible to express more useful conditions (e.g. matching
> by user and address) than tcpwrappers allowed.

I'd agree that you can express more useful conditions using Match but it is
used in other application level than tcpwrappers.

Using tcpwrappers, you can drop a connection before even the server identification
string is sent, while Match block is applied after the transport layer is established.

You don't have to restart sshd every time you want to change conditions in tcpwrappers, while
every change in sshd_config has to be confirmed by restart.


> Removing it reduces the amount of code in the 'hot' pre-authentication
> path in sshd and rids us of a dependency.
> 

I can see only 17 lines of code in sshd.c around if (!hosts_access(&req)).

The tcpwrappers support is already optional so it is not a hard dependency.


Petr
-- 
Petr Lautrbach
Security Technologies
Red Hat

Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux