On Tue, Apr 22, 2014 at 9:33 AM, Damien Miller <djm@xxxxxxxxxxx> wrote: > Hi, > > This is an early warning: OpenSSH will drop tcpwrappers in the next > release. sshd_config has supported the Match keyword for a long time > and it is possible to express more useful conditions (e.g. matching > by user and address) than tcpwrappers allowed. > > Removing it reduces the amount of code in the 'hot' pre-authentication > path in sshd and rids us of a dependency. Can I VETO that change, please? tcpwrappers provides a *central* configuration to protect all services based on per IP address authentication. This is not perfect but greatly reduces the area exposed to possible attacks, long before any ssh auth code runs. Removing this functionality creates a lot more headaches for security people and marres opensshs otherwise good, multilayer security architecture. Also, do you think that this change serves the needs of your customers? The first thing I can imagine is that *every* Linux distro on this planet just patches tcpwrappers support back into the code. Irek _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
