From owner-freebsd-security@freebsd.org  Sat Feb 22 16:21:57 2020
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 239E32437E6;
 Sat, 22 Feb 2020 16:21:57 +0000 (UTC)
 (envelope-from imb@protected-networks.net)
Received: from mail.protected-networks.net (mail.protected-networks.net
 [202.12.127.228])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "mail.protected-networks.net",
 Issuer "Protected Networks CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48PtrN20x2z3BpT;
 Sat, 22 Feb 2020 16:21:55 +0000 (UTC)
 (envelope-from imb@protected-networks.net)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=
 protected-networks.net; h=content-transfer-encoding
 :content-language:content-type:content-type:in-reply-to
 :mime-version:user-agent:date:date:message-id:from:from
 :references:subject:subject; s=201508; t=1582388508; bh=Fh1r+EKI
 YTAzBwGCFOBulljxbvIViG66jdamG4EZKhU=; b=bco8xiWKseCx0ot88eJ8BbD+
 RTjYc0MfHq1oM9jaw8iXAEaSspKB3ny5E1h6Cdq2S7w3O1iWSPEsJYh6ypSpjuP9
 F6BSuQ8sx2hUrrdre17AClntSNl1OE38Vo4PskIQCMARK69x68XeJgglrK++HkAA
 qFZyVF28OEsWmAewdBM=
Received: from toshi.auburn.protected-networks.net
 (toshi.auburn.protected-networks.net [192.168.1.10])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (Client did not present a certificate)
 (Authenticated sender: imb@mail.protected-networks.net)
 by mail.protected-networks.net (Postfix) with ESMTPSA id 72108522;
 Sat, 22 Feb 2020 11:21:48 -0500 (EST)
Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers
 support in sshd
To: Ed Maste <emaste@freebsd.org>
Cc: FreeBSD Current <freebsd-current@freebsd.org>, freebsd-security@freebsd.org
References: <CAPyFy2Die2tynFM3m3-5zBtWAOpHf-QHY-bE2JY7KKGiP8Tz_Q@mail.gmail.com>
 <AC78F4EA-164A-41F7-BFE5-92DF682F71DB@lists.zabbadoz.net>
 <CAPyFy2DZnHJDqsvFD_FzUz-hH9G5iVCbOb0UkELP5BWGn9KaSA@mail.gmail.com>
From: Michael Butler <imb@protected-networks.net>
Message-ID: <87d666aa-5091-0a35-71eb-6bd321f955a6@protected-networks.net>
Date: Sat, 22 Feb 2020 11:21:47 -0500
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101
 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <CAPyFy2DZnHJDqsvFD_FzUz-hH9G5iVCbOb0UkELP5BWGn9KaSA@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252
Content-Language: en-NZ
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 48PtrN20x2z3BpT
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-5.99 / 15.00];
 NEURAL_HAM_MEDIUM(-0.99)[-0.994,0]; REPLY(-4.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]
X-Mailman-Approved-At: Sat, 22 Feb 2020 18:25:27 +0000
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Feb 2020 16:21:57 -0000

On 2/21/20 11:49 AM, Ed Maste wrote:
> It seems starting sshd from inetd via tcpd is a reasonable approach
> for folks who want to use it; also, have folks using libwrap looked at
> sshd's Match blocks to see if they provide the desired functionality?

While match blocks can disallow a login from anything other than an
approved source address, they apparently permit the configured number of
failed attempts before throwing the prospective intruder out. With the
wrappers, it's an immediate disconnect.

They also have no mechanism to recognize a DNS mismatch (forward versus
reverse map).

	imb