On 26 April 2014 18:14, Nico Kadel-Garcia <nkadel@xxxxxxxxx> wrote: > On Sat, Apr 26, 2014 at 11:57 AM, Nicolai > <nicolai-openssh@xxxxxxxxxxxxxxx> wrote: >> On Fri, Apr 25, 2014 at 08:35:08PM -0500, Karl O. Pinc wrote: >>> I bet sshd could be run from a tcpwrapper enabled inetd >>> using 'sshd -D'. >> >> Good point. I use -ieDf for ssh over CurveCP and it works like a charm >> even on old hardware. So really, the desired functionality will still >> be in OpenSSH, and there will still be at least two distinct ways of >> getting it (instead of three). It's sensible to remove duplicate >> functionality in OpenSSH, particularly where it's better placed >> elsewhere. >> >> So people can look at -i and -D flags. They work! > > Isn't it significantly more efficient to allow sshd to do its own > forks, rather than doing 'ssd -D' and having one new daemon running > for every connection? I'm not personally convinced it's "better placed > elsewhere". If tcp_wrappers is yanked out, perhaps a friendly note in > the documentation explaining just this suggestion would help replace > it. Sure. The documentation will be a fully-blown CERN Security announcement that openssh dropped a vital security feature. We've just drafted one and will submit it once the matching openssh release will hit the release download area. Lionel _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
