Cedric Blancher
2014-Apr-23 19:55 UTC
hackers celebrate this day: openssh drops security! was: Re: heads up: tcpwrappers support going away
On 23 April 2014 21:43, mancha <mancha1 at zoho.com> wrote:> On Wed, Apr 23, 2014 at 12:26:58PM -0700, Iain Morgan wrote: >> A slightly better solution would be a PAM module that uses the same >> syntax as libwrap. Possibly someone has already written such a module. > > Possibly, but only for platforms which use for PAM.Pam is executed so late in the chain that any possible security issue has long been exposed to half of China and the KGB. Hackers will celebrate this day - openssh drops security. Time to move on to ssh.com's ssh variant. Seriously - the discussion is stupid: If tcpwrappers support gets removed than a replacement is required which is executed at the same location and not much later in the code. Ced -- Cedric Blancher <cedric.blancher at gmail.com> Institute Pasteur
Karl O. Pinc
2014-Apr-23 20:22 UTC
hackers celebrate this day: openssh drops security! was: Re: heads up: tcpwrappers support going away
On 04/23/2014 02:55:14 PM, Cedric Blancher wrote:> Seriously - the discussion is stupid: If tcpwrappers support gets > removed than a replacement is required which is executed at the same > location and not much later in the code.Well, no. If you want system-wide packet filtering, which is what tcpwrapper provides, putting that into the application layer is what is stupid. Use, instead, a real system wide packet filter -- whatever the system firewall is. What I find interesting is that the ssh maintainers seem to have declared, purposefully or not, that they are serving the distros not the end user. They are leaving it to the distros to provide a smooth upgrade path to the end-user. Nothing really wrong with that. The alternative, depreciation with warnings in the logs or whatever for a lengthy transition period, being work that might be better spent on maintaining security. I do find that abrupt dropping of a feature is a little jarring. But on the other hand who hasn't known forever that tcpwrappers is a lame solution? (Most everybody?!) The writing has been on the wall for a long time. Regards, Karl <kop at meme.com> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
Damien Miller
2014-Apr-23 23:46 UTC
hackers celebrate this day: openssh drops security! was: Re: heads up: tcpwrappers support going away
On Wed, 23 Apr 2014, Cedric Blancher wrote:> Hackers will celebrate this day - openssh drops security. > Time to move on to ssh.com's ssh variant.good luck with that https://answers.ssh.com/questions/398/support-for-tcp-wrappers> Seriously - the discussion is stupid: If tcpwrappers support gets > removed than a replacement is required which is executed at the same > location and not much later in the code.How about a packet filter? That way no code gets executed at all... -d
Christian Heinrich
2014-Apr-23 23:59 UTC
hackers celebrate this day: openssh drops security! was: Re: heads up: tcpwrappers support going away
Cedric, On Thu, Apr 24, 2014 at 5:55 AM, Cedric Blancher <cedric.blancher at gmail.com> wrote: Is http://www.theregister.co.uk/2013/11/12/cdric_sid_blancher_dead_at_37/ you? -- Regards, Christian Heinrich http://cmlh.id.au/contact