Re: heads up: tcpwrappers support going away

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, Apr 23, 2014 at 21:39:27 +1000, Damien Miller wrote:
> On Wed, 23 Apr 2014, Alex Bligh wrote:
> 
> > On 22 Apr 2014, at 23:31, James Cloos wrote:
> > 
> > >>>>>> "DM" == Damien Miller <djm@xxxxxxxxxxx> writes:
> > > 
> > > DM> This is an early warning: OpenSSH will drop tcpwrappers in the next
> > > DM> release.
> > > 
> > > This will need a wider announcement.  Most auto-block solutions I've
> > > looked at add entries to hosts.allow.
> > 
> > +1. Denyhosts suddenly stopping working is not a great plan.
> > 
> > Personally I don't want an automated script futzing with iptables,
> 
> as opposed to letting one futz with something that can execute shell
> commands?
> 
> A simple way out of this would be adding "Match exec" support to sshd_config
> like ssh_config got in the last couple of releases. Anyone want to do this?
> 
> -d

This wouldn't be a drop-in solution, but pam_access might be an option
for platforms that support PAM. The syntax is similar, but not
equivalent to libwrap. Admittedly, this has the disadvantage that a
rejection would occur later in the connection process, so it might not
be suitable in all cases.

A slightly better solution would be a PAM module that uses the same
syntax as libwrap. Possibly someone has already written such a module.

-- 
Iain Morgan
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux