On Wed, Apr 23, 2014 at 21:39:27 +1000, Damien Miller wrote: > On Wed, 23 Apr 2014, Alex Bligh wrote: > > > On 22 Apr 2014, at 23:31, James Cloos wrote: > > > > >>>>>> "DM" == Damien Miller <djm@xxxxxxxxxxx> writes: > > > > > > DM> This is an early warning: OpenSSH will drop tcpwrappers in the next > > > DM> release. > > > > > > This will need a wider announcement. Most auto-block solutions I've > > > looked at add entries to hosts.allow. > > > > +1. Denyhosts suddenly stopping working is not a great plan. > > > > Personally I don't want an automated script futzing with iptables, > > as opposed to letting one futz with something that can execute shell > commands? > > A simple way out of this would be adding "Match exec" support to sshd_config > like ssh_config got in the last couple of releases. Anyone want to do this? > > -d This wouldn't be a drop-in solution, but pam_access might be an option for platforms that support PAM. The syntax is similar, but not equivalent to libwrap. Admittedly, this has the disadvantage that a rejection would occur later in the connection process, so it might not be suitable in all cases. A slightly better solution would be a PAM module that uses the same syntax as libwrap. Possibly someone has already written such a module. -- Iain Morgan _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
