On Apr 23, 2014, at 12:51 PM, Irek Szczesniak <iszczesniak@xxxxxxxxx> wrote: > Can I VETO that change, please? > > tcpwrappers provides a *central* configuration to protect all services > based on per IP address authentication. This is not perfect but > greatly reduces the area exposed to possible attacks, long before any > ssh auth code runs. Removing this functionality creates a lot more > headaches for security people and marres opensshs otherwise good, > multilayer security architecture. > > Also, do you think that this change serves the needs of your > customers? The first thing I can imagine is that *every* Linux distro > on this planet just patches tcpwrappers support back into the code. Let them. Each distro has their pet patches that OpenSSH has rejected. Personally, I'm glad to see us finally doing away with tcpwrapper. It is a dark part of our history that should be scorched from the planet so we can get people to start doing stuff the right away. - Ben _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
