From owner-freebsd-security@freebsd.org Mon Feb 17 07:02:10 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9D59324FB6D; Mon, 17 Feb 2020 07:02:10 +0000 (UTC) (envelope-from borjam@sarenet.es) Received: from cu01176b.smtpx.saremail.com (cu01176b.smtpx.saremail.com [195.16.151.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48LZfm4sl1z3D7m; Mon, 17 Feb 2020 07:02:08 +0000 (UTC) (envelope-from borjam@sarenet.es) Received: from [172.16.8.52] (unknown [192.148.167.11]) by proxypop01.sare.net (Postfix) with ESMTPA id 9DAE29DDD3C; Mon, 17 Feb 2020 08:02:04 +0100 (CET) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\)) Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd From: Borja Marcos In-Reply-To: Date: Mon, 17 Feb 2020 08:02:03 +0100 Cc: FreeBSD Current , freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <6418643B-4442-47FC-807D-5E9AA63EA4EA@sarenet.es> References: To: Ed Maste X-Mailer: Apple Mail (2.3608.60.0.2.5) X-Rspamd-Queue-Id: 48LZfm4sl1z3D7m X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=sarenet.es; spf=pass (mx1.freebsd.org: domain of borjam@sarenet.es designates 195.16.151.151 as permitted sender) smtp.mailfrom=borjam@sarenet.es X-Spamd-Result: default: False [-5.21 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip4:195.16.151.0/24]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; MV_CASE(0.50)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_DN_SOME(0.00)[]; RCVD_TLS_LAST(0.00)[]; DMARC_POLICY_ALLOW(-0.50)[sarenet.es,none]; RCVD_IN_DNSWL_NONE(0.00)[151.151.16.195.list.dnswl.org : 127.0.10.0]; IP_SCORE(-2.91)[ip: (-7.73), ipnet: 195.16.128.0/19(-3.95), asn: 3262(-2.93), country: ES(0.04)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:3262, ipnet:195.16.128.0/19, country:ES]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Feb 2020 07:02:10 -0000 > On 14 Feb 2020, at 19:18, Ed Maste wrote: >=20 > Upstream OpenSSH-portable removed libwrap support in version 6.7, > released in October 2014. We've maintained a patch in our tree to > restore it, but it causes friction on each OpenSSH update and may > introduce security vulnerabilities not present upstream. It's (past) > time to remove it. There=E2=80=99s no way to fight it? I know it=E2=80=99s an old program = (first time I used it was back in 1992 or so!) but it=E2=80=99s really convenient and easy to use.=20 Borja. From owner-freebsd-security@freebsd.org Mon Feb 17 07:34:21 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BDDB92505A8 for ; Mon, 17 Feb 2020 07:34:21 +0000 (UTC) (envelope-from titus@edc.ro) Received: from www.mecool.ro (mecool.ro [84.232.226.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mecool.ro", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 48LbMw4BWwz4Cvf for ; Mon, 17 Feb 2020 07:34:19 +0000 (UTC) (envelope-from titus@edc.ro) Received: from [10.1.1.42] (eatlas.ro [86.126.82.18]) (authenticated bits=0) by www.mecool.ro (8.15.2/8.14.6) with ESMTPSA id 01H7YAAS011535 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 17 Feb 2020 09:34:11 +0200 (EET) (envelope-from titus@edc.ro) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd From: titus manea In-Reply-To: <6418643B-4442-47FC-807D-5E9AA63EA4EA@sarenet.es> Date: Mon, 17 Feb 2020 09:34:10 +0200 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <9F3DAE76-8CFE-47FF-AB0D-A83788D59A1B@edc.ro> References: <6418643B-4442-47FC-807D-5E9AA63EA4EA@sarenet.es> To: Borja Marcos X-Mailer: Apple Mail (2.3445.9.1) X-Rspamd-Queue-Id: 48LbMw4BWwz4Cvf X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of titus@edc.ro designates 84.232.226.76 as permitted sender) smtp.mailfrom=titus@edc.ro X-Spamd-Result: default: False [2.77 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[edc.ro]; NEURAL_SPAM_MEDIUM(0.63)[0.631,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(0.50)[0.500,0]; IP_SCORE(1.44)[ipnet: 84.232.128.0/17(4.69), asn: 8708(2.45), country: RO(0.08)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8708, ipnet:84.232.128.0/17, country:RO]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Feb 2020 07:34:21 -0000 > On Feb 17, 2020, at 9:02 AM, Borja Marcos wrote: >=20 >=20 >=20 >> On 14 Feb 2020, at 19:18, Ed Maste wrote: >>=20 >> Upstream OpenSSH-portable removed libwrap support in version 6.7, >> released in October 2014. We've maintained a patch in our tree to >> restore it, but it causes friction on each OpenSSH update and may >> introduce security vulnerabilities not present upstream. It's (past) >> time to remove it. >=20 > There=E2=80=99s no way to fight it? I know it=E2=80=99s an old program = (first time I used it was back in 1992 or so!) > but it=E2=80=99s really convenient and easy to use.=20 >=20 >=20 >=20 >=20 >=20 > Borja. >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" >=20 run sshd from inetd= From owner-freebsd-security@freebsd.org Mon Feb 17 09:40:55 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EE7482532E8; Mon, 17 Feb 2020 09:40:55 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from smtp.digiware.nl (smtp.digiware.nl [IPv6:2001:4cb8:90:ffff::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48Lf9y5pKxz4B7M; Mon, 17 Feb 2020 09:40:54 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from router.digiware.nl (localhost.digiware.nl [127.0.0.1]) by smtp.digiware.nl (Postfix) with ESMTP id 0A79223DE9; Mon, 17 Feb 2020 10:40:44 +0100 (CET) X-Virus-Scanned: amavisd-new at digiware.com Received: from smtp.digiware.nl ([127.0.0.1]) by router.digiware.nl (router.digiware.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hpPo8pA31hVu; Mon, 17 Feb 2020 10:40:43 +0100 (CET) Received: from [192.168.10.9] (vaio [192.168.10.9]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp.digiware.nl (Postfix) with ESMTPSA id 5575E23DE8; Mon, 17 Feb 2020 10:40:43 +0100 (CET) Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd To: Borja Marcos , Ed Maste Cc: freebsd-security@freebsd.org, FreeBSD Current References: <6418643B-4442-47FC-807D-5E9AA63EA4EA@sarenet.es> From: Willem Jan Withagen Message-ID: <43a8c8f1-8961-b6cf-3ad1-068b9d47a78c@digiware.nl> Date: Mon, 17 Feb 2020 10:40:42 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: <6418643B-4442-47FC-807D-5E9AA63EA4EA@sarenet.es> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: nl X-Rspamd-Queue-Id: 48Lf9y5pKxz4B7M X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of wjw@digiware.nl designates 2001:4cb8:90:ffff::3 as permitted sender) smtp.mailfrom=wjw@digiware.nl X-Spamd-Result: default: False [-5.35 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[digiware.nl]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; IP_SCORE(-3.05)[ip: (-9.52), ipnet: 2001:4cb8::/29(-4.66), asn: 28878(-1.10), country: NL(0.03)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:28878, ipnet:2001:4cb8::/29, country:NL]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Feb 2020 09:40:56 -0000 On 17-2-2020 08:02, Borja Marcos wrote: > >> On 14 Feb 2020, at 19:18, Ed Maste wrote: >> >> Upstream OpenSSH-portable removed libwrap support in version 6.7, >> released in October 2014. We've maintained a patch in our tree to >> restore it, but it causes friction on each OpenSSH update and may >> introduce security vulnerabilities not present upstream. It's (past) >> time to remove it. > There’s no way to fight it? I know it’s an old program (first time I used it was back in 1992 or so!) > but it’s really convenient and easy to use. > I remember porting it to Apollo Domain OS with Wietse Venema when we both worked at Eindhoven University. And Wiestse was complaining that PID were not unique and sequential. So my guess would be that its origin lies somewhere around 1986-1988.. At that  time TCPwrappers was a good part of security, since firewall and likes  were close to hard to get and/or unavailable. But in current times there usually are better ways to fix things, but I guess that all use something of a firewall be it ipfw of pf. (using both sshguard, fail2ban or portsentry) So it'll be said to see it go, but I guess it has served its purpose. --WjW From owner-freebsd-security@freebsd.org Tue Feb 18 16:05:06 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D687223E893 for ; Tue, 18 Feb 2020 16:05:06 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48MQfp3Hspz3LXW for ; Tue, 18 Feb 2020 16:05:06 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1]) by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id 01IG52Nv064139 for ; Tue, 18 Feb 2020 08:05:02 -0800 (PST) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: (from freebsd-rwg@localhost) by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id 01IG52ff064138 for freebsd-security@freebsd.org; Tue, 18 Feb 2020 08:05:02 -0800 (PST) (envelope-from freebsd-rwg) From: "Rodney W. Grimes" Message-Id: <202002181605.01IG52ff064138@gndrsh.dnsmgr.net> Subject: Re: [FreeBSD-Announce] FreeBSD 12.0 end-of-life In-Reply-To: <20200217231452.717FA1E820@freefall.freebsd.org> To: freebsd-security@freebsd.org Date: Tue, 18 Feb 2020 08:05:02 -0800 (PST) X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-Rspamd-Queue-Id: 48MQfp3Hspz3LXW X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-6.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] X-Mailman-Approved-At: Tue, 18 Feb 2020 16:09:18 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Feb 2020 16:05:06 -0000 [ PGP not available, raw data follows ] > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Dear FreeBSD community, > > As of February 29, 2020, FreeBSD 12.0 will reach end-of-life and will no longer > be supported by the FreeBSD Security Team. Users of FreeBSD 12.0 are strongly > encouraged to upgrade to a newer release as soon as possible. > > The currently supported branches and releases and their expected end-of-life > dates are: > > +--------------------------------------------------------------------------+ > | Branch | Release | Release Date | Estimated EoL | > +-------------+--------------+-------------------+-------------------------+ > | stable/12 | N/A | N/A | June 30, 2024 | > +-------------+--------------+-------------------+-------------------------+ releng/12.0 should be listed here in this table, it is still "Supported". > | releng/12.1 | 12.1-RELEASE | November 4, 2019 | 12.2-RELEASE + 3 months | > +-------------+--------------+-------------------+-------------------------+ > | stable/11 | N/A | N/A | September 30, 2021 | > +-------------+--------------+-------------------+-------------------------+ > | releng/11.3 | 11.3-RELEASE | July 9, 2019 | 11.4-RELEASE + 3 months | > +--------------------------------------------------------------------------+ > > Please refer to https://security.freebsd.org/ for an up-to-date list of > supported releases and the latest security advisories. > > - -- > The FreeBSD Security Team > -----BEGIN PGP SIGNATURE----- > > iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5LHZNfFIAAAAAALgAo > aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD > MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n > 5cIqyA//ROIFtIsEDV5p02FnWClgWu3qxZ4uRyA0usM1DtZPBYjtfsFGdAU+9NvY > EsUB3rVjWx2HNoHKySFgjLbtGdCNoae45pjLe3UiKgrbQZwXCdUl0d1y+4ZcoR0D > cdtEY6YWio4kBHTWxd0cgCpe+Cmk3nQRB005qgvMkkCBNBGuZQcQS62CMMis3IWC > paMcRBmzkh9HMW8e9XN2mFjGJbT2HKzY+y/Qvj3NhxenYgTzQbVwRDz4JPKz7Al+ > aVq2gLEuEgRWNFG+fBnk7qikzmV7JaXI+j/ImZnrMFBDC/ymiQMbQdt0Kxv0TsZF > ajR18pQyoAONXoJs875HD54/Rj0rQNkKwyZNKuka5+NWR/6d9H52+iytkGqn2DLR > Jp9slPHBW5ofC7WlgAAeV+S1Et7fWeV96hqDVRUXZstir6hM3hYEdwnQP8aFaYO9 > No+uLd6IAKBtBCK9hxOv6O6lmWjNk4LWQb6keG+zwFDCfnILdfwVE+eML7GqLzQ1 > 5s40M7gZsB//1S27WQOhKS4Vea+68meGOzGv0KkMd4gNuV/cBqVoCj52Muu3O0gK > nbMuFHptQbL0qhFGzho4chg4TsuXs0lf28BsHYYFeEewEce7gIwCgPLQPIwLQG4h > cv7KkgwEetngUUlyMaeKu2xCUXTaDJ3KpFkwEcol1oezaWkduwg= > =viBR > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-announce@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org" > [ End of raw data. ] -- Rod Grimes rgrimes@freebsd.org From owner-freebsd-security@freebsd.org Fri Feb 21 16:49:33 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B990C23B06E; Fri, 21 Feb 2020 16:49:33 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-io1-f54.google.com (mail-io1-f54.google.com [209.85.166.54]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48PHVh4nJGz4Bcp; Fri, 21 Feb 2020 16:49:32 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-io1-f54.google.com with SMTP id c16so3045344ioh.6; Fri, 21 Feb 2020 08:49:32 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GasD/8aThjZaY9BjY6TMp5YORv4y5UW3qzQ5iyDmdwI=; b=WaI4PwtDci945cAXMHDy/of+lcEFCQxln0frGneDTja/DyOhz6cQLg4E6fcf/bE9TA XsS1BMyRw5i9aVAIdjE4LeJ9hOf7ZfkgLWT02ssWHMVP+dLqLuKmSCuCULYPV2W99E7f v+ZNl6ubtFqFRPXO/+j7A8pWa51G/OS+wkNy9VXGk+m/coZTm8g62R75PjQpzFQDd8Px nlkMmz9SKM5pqRNa9rjCh/1oLUoy45Aeai6LCTaLNJBR3BzE6VXowDcHnYazoCDcJQwi DfNcHE3vDpLyUbrXv1Xi+riD7E5t4PyJc4d/YRxLRnc7rjY1Wdmk6AEs1MMEiMnefvZE yPsQ== X-Gm-Message-State: APjAAAUxXniYHv2Ynjxf5jnPsdk/zBXzH0Q9aBRn1azJ0mRbJQOe83tg aNdjnKFT4J0uxXo+4JstXh3KXXEVC1VPhFNXa4z6/CwX X-Google-Smtp-Source: APXvYqz7twPLNEtgtxBFPRUEpqLdj3i1uGOtcQVlmHHz+qL8jbG99azJTDbGLIgvDb44/M5CgjWvVhkDRJ5X/6CAznw= X-Received: by 2002:a5e:d617:: with SMTP id w23mr30230281iom.98.1582303771029; Fri, 21 Feb 2020 08:49:31 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Ed Maste Date: Fri, 21 Feb 2020 11:49:17 -0500 Message-ID: Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd To: "Bjoern A. Zeeb" Cc: FreeBSD Current , freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 48PHVh4nJGz4Bcp X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.54 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-3.92 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[freebsd.org]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[54.166.85.209.list.dnswl.org : 127.0.5.0]; IP_SCORE(-1.92)[ip: (-4.90), ipnet: 209.85.128.0/17(-2.99), asn: 15169(-1.67), country: US(-0.05)]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[54.166.85.209.rep.mailspike.net : 127.0.0.17]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Feb 2020 16:49:33 -0000 On Sat, 15 Feb 2020 at 05:03, Bjoern A. Zeeb wrote: > > I am also worried that the change will make a lot of machines > unprotected upon updating to 13 if there is no big red warning flag > before the install. At least having sshd emit a warning is a prerequisite, certainly. I don't yet know if there's a way via libwrap's API to determine if rules are in place; there's a bit of investigation needed here still. > I do understand the burden of maintaining a local patch (we lost the HA > patches from base this way already). Indeed. As you pointed out the libwrap patch is very small and easy to review and reason about. My bigger concern is that libwrap is essentially abandonware, and it has been dropped by just about everyone else. As far as I know Debian is still patching libwrap support into sshd but not anyone else. It seems starting sshd from inetd via tcpd is a reasonable approach for folks who want to use it; also, have folks using libwrap looked at sshd's Match blocks to see if they provide the desired functionality? From owner-freebsd-security@freebsd.org Sat Feb 22 16:21:57 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 239E32437E6; Sat, 22 Feb 2020 16:21:57 +0000 (UTC) (envelope-from imb@protected-networks.net) Received: from mail.protected-networks.net (mail.protected-networks.net [202.12.127.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mail.protected-networks.net", Issuer "Protected Networks CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 48PtrN20x2z3BpT; Sat, 22 Feb 2020 16:21:55 +0000 (UTC) (envelope-from imb@protected-networks.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= protected-networks.net; h=content-transfer-encoding :content-language:content-type:content-type:in-reply-to :mime-version:user-agent:date:date:message-id:from:from :references:subject:subject; s=201508; t=1582388508; bh=Fh1r+EKI YTAzBwGCFOBulljxbvIViG66jdamG4EZKhU=; b=bco8xiWKseCx0ot88eJ8BbD+ RTjYc0MfHq1oM9jaw8iXAEaSspKB3ny5E1h6Cdq2S7w3O1iWSPEsJYh6ypSpjuP9 F6BSuQ8sx2hUrrdre17AClntSNl1OE38Vo4PskIQCMARK69x68XeJgglrK++HkAA qFZyVF28OEsWmAewdBM= Received: from toshi.auburn.protected-networks.net (toshi.auburn.protected-networks.net [192.168.1.10]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: imb@mail.protected-networks.net) by mail.protected-networks.net (Postfix) with ESMTPSA id 72108522; Sat, 22 Feb 2020 11:21:48 -0500 (EST) Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd To: Ed Maste Cc: FreeBSD Current , freebsd-security@freebsd.org References: From: Michael Butler Message-ID: <87d666aa-5091-0a35-71eb-6bd321f955a6@protected-networks.net> Date: Sat, 22 Feb 2020 11:21:47 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Language: en-NZ Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 48PtrN20x2z3BpT X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-5.99 / 15.00]; NEURAL_HAM_MEDIUM(-0.99)[-0.994,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-Mailman-Approved-At: Sat, 22 Feb 2020 18:25:27 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Feb 2020 16:21:57 -0000 On 2/21/20 11:49 AM, Ed Maste wrote: > It seems starting sshd from inetd via tcpd is a reasonable approach > for folks who want to use it; also, have folks using libwrap looked at > sshd's Match blocks to see if they provide the desired functionality? While match blocks can disallow a login from anything other than an approved source address, they apparently permit the configured number of failed attempts before throwing the prospective intruder out. With the wrappers, it's an immediate disconnect. They also have no mechanism to recognize a DNS mismatch (forward versus reverse map). imb