From owner-freebsd-security@freebsd.org  Fri Feb 21 16:49:33 2020
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id B990C23B06E;
 Fri, 21 Feb 2020 16:49:33 +0000 (UTC)
 (envelope-from carpeddiem@gmail.com)
Received: from mail-io1-f54.google.com (mail-io1-f54.google.com
 [209.85.166.54])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48PHVh4nJGz4Bcp;
 Fri, 21 Feb 2020 16:49:32 +0000 (UTC)
 (envelope-from carpeddiem@gmail.com)
Received: by mail-io1-f54.google.com with SMTP id c16so3045344ioh.6;
 Fri, 21 Feb 2020 08:49:32 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=GasD/8aThjZaY9BjY6TMp5YORv4y5UW3qzQ5iyDmdwI=;
 b=WaI4PwtDci945cAXMHDy/of+lcEFCQxln0frGneDTja/DyOhz6cQLg4E6fcf/bE9TA
 XsS1BMyRw5i9aVAIdjE4LeJ9hOf7ZfkgLWT02ssWHMVP+dLqLuKmSCuCULYPV2W99E7f
 v+ZNl6ubtFqFRPXO/+j7A8pWa51G/OS+wkNy9VXGk+m/coZTm8g62R75PjQpzFQDd8Px
 nlkMmz9SKM5pqRNa9rjCh/1oLUoy45Aeai6LCTaLNJBR3BzE6VXowDcHnYazoCDcJQwi
 DfNcHE3vDpLyUbrXv1Xi+riD7E5t4PyJc4d/YRxLRnc7rjY1Wdmk6AEs1MMEiMnefvZE
 yPsQ==
X-Gm-Message-State: APjAAAUxXniYHv2Ynjxf5jnPsdk/zBXzH0Q9aBRn1azJ0mRbJQOe83tg
 aNdjnKFT4J0uxXo+4JstXh3KXXEVC1VPhFNXa4z6/CwX
X-Google-Smtp-Source: APXvYqz7twPLNEtgtxBFPRUEpqLdj3i1uGOtcQVlmHHz+qL8jbG99azJTDbGLIgvDb44/M5CgjWvVhkDRJ5X/6CAznw=
X-Received: by 2002:a5e:d617:: with SMTP id w23mr30230281iom.98.1582303771029; 
 Fri, 21 Feb 2020 08:49:31 -0800 (PST)
MIME-Version: 1.0
References: <CAPyFy2Die2tynFM3m3-5zBtWAOpHf-QHY-bE2JY7KKGiP8Tz_Q@mail.gmail.com>
 <AC78F4EA-164A-41F7-BFE5-92DF682F71DB@lists.zabbadoz.net>
In-Reply-To: <AC78F4EA-164A-41F7-BFE5-92DF682F71DB@lists.zabbadoz.net>
From: Ed Maste <emaste@freebsd.org>
Date: Fri, 21 Feb 2020 11:49:17 -0500
Message-ID: <CAPyFy2DZnHJDqsvFD_FzUz-hH9G5iVCbOb0UkELP5BWGn9KaSA@mail.gmail.com>
Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers
 support in sshd
To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Cc: FreeBSD Current <freebsd-current@freebsd.org>, freebsd-security@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: 48PHVh4nJGz4Bcp
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates
 209.85.166.54 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com
X-Spamd-Result: default: False [-3.92 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; RCVD_TLS_ALL(0.00)[];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
 R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[freebsd.org]; TO_DN_SOME(0.00)[];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 RCVD_IN_DNSWL_NONE(0.00)[54.166.85.209.list.dnswl.org : 127.0.5.0];
 IP_SCORE(-1.92)[ip: (-4.90), ipnet: 209.85.128.0/17(-2.99), asn: 15169(-1.67),
 country: US(-0.05)]; 
 FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com];
 RWL_MAILSPIKE_POSSIBLE(0.00)[54.166.85.209.rep.mailspike.net : 127.0.0.17];
 MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
 FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2020 16:49:33 -0000

On Sat, 15 Feb 2020 at 05:03, Bjoern A. Zeeb
<bzeeb-lists@lists.zabbadoz.net> wrote:
>
> I am also worried that the change will make a lot of machines
> unprotected upon updating to 13 if there is no big red warning flag
> before the install.

At least having sshd emit a warning is a prerequisite, certainly. I
don't yet know if there's a way via libwrap's API to determine if
rules are in place; there's a bit of investigation needed here still.

> I do understand the burden of maintaining a local patch (we lost the HA
> patches from base this way already).

Indeed. As you pointed out the libwrap patch is very small and easy to
review and reason about. My bigger concern is that libwrap is
essentially abandonware, and it has been dropped by just about
everyone else. As far as I know Debian is still patching libwrap
support into sshd but not anyone else.

It seems starting sshd from inetd via tcpd is a reasonable approach
for folks who want to use it; also, have folks using libwrap looked at
sshd's Match blocks to see if they provide the desired functionality?