Date: Wed, 25 Oct 2006 20:23:22 +0100 (BST) From: doug <doug@fledge.watson.org> To: Eric Schuele <e.schuele@computer.org> Cc: rihad@mail.ru, freebsd-questions@freebsd.org Subject: Re: tcpwrappers & SSH Message-ID: <20061025200830.K91833@fledge.watson.org> In-Reply-To: <453FB3D3.4030308@computer.org> References: <E1GcdoI-000MsQ-00.rihad-mail-ru@f48.mail.ru> <25EF2257D42835E7C800F7AB@utd59514.utdallas.edu> <453FB3D3.4030308@computer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 25 Oct 2006, Eric Schuele wrote: > On 10/25/06 09:56, Paul Schmehl wrote: >> --On Wednesday, October 25, 2006 12:08:26 +0400 ????? ??????? >> <rihad@mail.ru> wrote: >> >>> A comment in /etc/hosts.allow states that: >>> Wrapping sshd(8) is not normally a good idea >>> >>> Why? Is it because such restrictions should naturally be made using a >>> firewall/PAM/sshd itself/whatever? I think GENERIC sshd wouldn't have >>> been built with libwrap support in the first place. Or? >>> >> Because maintaining the access list can be quite ponderous if you have a >> lot of users. >> >> I maintain a hobby website that only has two shell accounts. I use >> hosts.allow for ssh because it gets rid of the brute-force crap. But even >> for two users, the list of hosts/networks that are allowed is 10 or 15. >> Imagine what it would be if you have a hundred users...or a thousand. > > Viewed from a slightly different angle... > > If you are responsible for maintaining machine xyz, and you have used > tcpwrappers... chances are you'll eventually need access to that machine from > a location you did not previously expect. Maybe your sitting in the airport > and get a call that the machine is malfunctioning. Maybe you are on call at > a social gathering. In any case, you'll need access and if it is using > tcpwrappers, you may not gain access. > > IMHO, other than the problem with needing "emergency" access, I think > tcpwrappers is a good thing. I use then on my laptop for example. As Paul > mentions, it gets rid of the constant hammering you would normally be subject > to, and I can still access it from the office or home. > This could be easily done in sshd_config if the order of processing the AllowUsers and DenyUsers directivies was optional. It is not DenyUsers takes precedent over AllowUsers. This effective eliminates denying access using a pattern. It looks pretty easy to just switch this in the code, but the "right" way to do it would be to add an apache-like directive order, e.g. "order deny,allow". Perhaps there is something in the protocols that would disallow this function.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061025200830.K91833>