Bryan Drewery <bdrewery at FreeBSD.org> writes:> Another thing that I did with the port was restore the tcpwrapper > support that upstream removed. Again, if we decide it is not worth > keeping in base I will remove it as default in the port.I want to keep tcpwrapper support - it is another reason why I still haven't upgraded OpenSSH, but to the best of my knowledge, it is far less intrusive than HPN. DES -- Dag-Erling Sm?rgrav - des at des.no
On 11/11/2015 8:51 AM, Dag-Erling Sm?rgrav wrote:> Bryan Drewery <bdrewery at FreeBSD.org> writes: >> Another thing that I did with the port was restore the tcpwrapper >> support that upstream removed. Again, if we decide it is not worth >> keeping in base I will remove it as default in the port. > > I want to keep tcpwrapper support - it is another reason why I still > haven't upgraded OpenSSH, but to the best of my knowledge, it is far > less intrusive than HPN. >Yes, it's very small. /usr/ports/security/openssh-portable/files/extra-patch-tcpwrappers -- Regards, Bryan Drewery -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20151111/cfa2fd3f/attachment.bin>
> On 11 Nov 2015, at 16:53 , Bryan Drewery <bdrewery at FreeBSD.org> wrote: > > On 11/11/2015 8:51 AM, Dag-Erling Sm?rgrav wrote: >> Bryan Drewery <bdrewery at FreeBSD.org> writes: >>> Another thing that I did with the port was restore the tcpwrapper >>> support that upstream removed. Again, if we decide it is not worth >>> keeping in base I will remove it as default in the port. >> >> I want to keep tcpwrapper support - it is another reason why I still >> haven't upgraded OpenSSH, but to the best of my knowledge, it is far >> less intrusive than HPN. >> > > Yes, it's very small. > /usr/ports/security/openssh-portable/files/extra-patch-tcpwrappersAnd thanks to both of you for keeping it. It?s often the best you can get if you have machines which run w/o firewalls. Just wanted to say ?thanks?! /bz
On Wed, 11 Nov 2015, Dag-Erling Sm?rgrav wrote:> I want to keep tcpwrapper support - it is another reason why I still > haven't upgraded OpenSSH, but to the best of my knowledge, it is far > less intrusive than HPN.There's also inetd's tcpwrapper support if you call sshd from inetd for D/DOS protection. Inetd and its rate-limiting flags are strongly recommended for security-minded systems. Starting sshd from rc.d should never have been made the default, IMO, as keygen delays are rarely relevant and weren't even back in the days of 300MHz CPUs (18 years ago). The only reason inetd is not more widely used today is that many sysadmins aren't familiar with it. Roger Marquis
On Wed, Nov 11, 2015 at 05:51:25PM +0100, Dag-Erling Sm?rgrav wrote:> Bryan Drewery <bdrewery at FreeBSD.org> writes: > > Another thing that I did with the port was restore the tcpwrapper > > support that upstream removed. Again, if we decide it is not worth > > keeping in base I will remove it as default in the port. > > I want to keep tcpwrapper support - it is another reason why I still > haven't upgraded OpenSSH, but to the best of my knowledge, it is far > less intrusive than HPN.Can you explain what is problem? I am see openssh in base and openssh in ports (more recent version) with same functionaly patches. You talk about trouble to upgrade. What is root? openssh in base have different vendor and/or license? Or something else? PS: As I today know, kerberos heimdal is practicaly dead as opensource project. Have FreeBSD planed switch to MIT Kerberos? I am know about security/krb5.