On Tue, 22 Apr 2014, Petr Lautrbach wrote: > Using tcpwrappers, you can drop a connection before even the server > identification string is sent, while Match block is applied after the > transport layer is established. > > You don't have to restart sshd every time you want to change > conditions in tcpwrappers, while every change in sshd_config has to be > confirmed by restart. You can use a packet filter for this; tcpwrappers dates back to the dark times before these were common on hosts. > I can see only 17 lines of code in sshd.c around if (!hosts_access(&req)) Do you stop counting attack surface at the first function call? FYI, the first function call in hosts_access is a setjmp() :/ Old, redundant code needs to be retired. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev