On 04/22/2014 09:33 AM, Damien Miller wrote: > Hi, Hi, > This is an early warning: OpenSSH will drop tcpwrappers in the next > release. sshd_config has supported the Match keyword for a long time > and it is possible to express more useful conditions (e.g. matching > by user and address) than tcpwrappers allowed. I'd agree that you can express more useful conditions using Match but it is used in other application level than tcpwrappers. Using tcpwrappers, you can drop a connection before even the server identification string is sent, while Match block is applied after the transport layer is established. You don't have to restart sshd every time you want to change conditions in tcpwrappers, while every change in sshd_config has to be confirmed by restart. > Removing it reduces the amount of code in the 'hot' pre-authentication > path in sshd and rids us of a dependency. > I can see only 17 lines of code in sshd.c around if (!hosts_access(&req)). The tcpwrappers support is already optional so it is not a hard dependency. Petr -- Petr Lautrbach Security Technologies Red Hat Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev