VETO! Re: heads up: tcpwrappers support going away

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue, Apr 22, 2014 at 9:33 AM, Damien Miller <djm@xxxxxxxxxxx> wrote:
> Hi,
>
> This is an early warning: OpenSSH will drop tcpwrappers in the next
> release. sshd_config has supported the Match keyword for a long time
> and it is possible to express more useful conditions (e.g. matching
> by user and address) than tcpwrappers allowed.
>
> Removing it reduces the amount of code in the 'hot' pre-authentication
> path in sshd and rids us of a dependency.

Can I VETO that change, please?

tcpwrappers provides a *central* configuration to protect all services
based on per IP address authentication. This is not perfect but
greatly reduces the area exposed to possible attacks, long before any
ssh auth code runs. Removing this functionality creates a lot more
headaches for security people and marres opensshs otherwise good,
multilayer security architecture.

Also, do you think that this change serves the needs of your
customers? The first thing I can imagine is that *every* Linux distro
on this planet just patches tcpwrappers support back into the code.

Irek
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux