On Tue, Apr 22, 2014 at 9:33 AM, Damien Miller <djm at mindrot.org>
wrote:> Hi,
>
> This is an early warning: OpenSSH will drop tcpwrappers in the next
> release. sshd_config has supported the Match keyword for a long time
> and it is possible to express more useful conditions (e.g. matching
> by user and address) than tcpwrappers allowed.
>
> Removing it reduces the amount of code in the 'hot'
pre-authentication
> path in sshd and rids us of a dependency.
Can I VETO that change, please?
tcpwrappers provides a *central* configuration to protect all services
based on per IP address authentication. This is not perfect but
greatly reduces the area exposed to possible attacks, long before any
ssh auth code runs. Removing this functionality creates a lot more
headaches for security people and marres opensshs otherwise good,
multilayer security architecture.
Also, do you think that this change serves the needs of your
customers? The first thing I can imagine is that *every* Linux distro
on this planet just patches tcpwrappers support back into the code.
Irek