Going to throw in my $.02 here (late) but I really think this is a bad move. AIX doesn't natively do tcp wrappers (yes there is a *shudder* rpm for it), but I literally just today stopped a minor syslog DoS caused by some "monitoring" software slamming at my sshd process every second and causing auth.log to grow like nobody's business, making it unparseable and full of useless noise. How did I stop it quickly? Created a /etc/hosts.deny file and threw this into it ... knowing that sshd would process it and silently drop the connections: sshd : ip.add.re.ss : severity debug : deny Yes, I could have run genfilt, if the server had ipsec4 filtering already configured and running (it didn't). But I could write out a one-line file, bounce sshd, and voila! Silent droppage of unwanted connections (except into the separate debug log I was using for evidence). I know it's a moot point at this juncture, but I disagree with the decision. On Mon, Aug 18, 2014 at 5:11 PM, Iain Morgan <imorgan@xxxxxxxxxxxx> wrote: > On Mon, Aug 18, 2014 at 11:23:41 +1000, Damien Miller wrote: > > Hi, > > > > OpenSSH 6.7 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This is a big release > > containing a number of features, a lot of internal refactoring and some > > potentially-incompatible changes. > > > > The 20140819 snapshot successfully builds and passes the tests on RHEL > 6.5/x86_64 w/OpenSSL 1.0.1i. > > Regarding the removal of TCP wrapper support, it would be good to remove > references to it in the contrib/*/openssh.spec files: > > % egrep -i 'netkit|wrapper|tcpd' */openssh.spec > caldera/openssh.spec: --with-tcp-wrappers \ > redhat/openssh.spec:BuildRequires: perl, openssl-devel, tcp_wrappers > redhat/openssh.spec: --with-tcp-wrappers \ > suse/openssh.spec:# TCP Wrappers (tcpd-devel), > suse/openssh.spec:BuildPrereq: tcpd-devel > suse/openssh.spec:- Added flag to configure daemon with TCP Wrappers > support > suse/openssh.spec: --with-tcp-wrappers \ > > There are also references to tcpd or libwrap in INSTALL and > contrib/cygwin/README that should probably be removed or revised. > > -- > Iain Morgan > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott@xxxxxxxxx> */ _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev