Date: Sat, 06 Jan 2001 00:14:23 -0800 From: Dima Dorfman <dima@unixfreak.org> To: John Reynolds <jjreynold@home.com> Cc: questions@freebsd.org Subject: Re: /etc/hosts.allow -- sshd a "bad idea"? Why? Message-ID: <20010106081428.301233E02@bazooka.unixfreak.org> In-Reply-To: Message from John Reynolds <jjreynold@home.com> of "Sat, 06 Jan 2001 00:32:33 MST." <14934.51729.912996.493818@whale.home-net>
next in thread | previous in thread | raw e-mail | index | archive | help
> # Wrapping sshd(8) is not normally a good idea, but if you > # need to do it, here's how > [snip] > > Why is this "not normally a good idea"? It seems as if I've had it working AFAIK, it's not a good idea because sshd has its own mechanism for allowing and denying access based on the source address. There's no real problem with using hosts.allow to control ssh access, but it can be an administrative headache since that adds a second place where access can be denied. You didn't ask about this, but you implied that sshd shouldn't have been affected by hosts.allow since you aren't running it from inetd. The reason it's affected is that the sshd daemon explicitly looks in the hosts.allow file (and its friends) for lines that may affect it. I guess that at some point sshd didn't have its own access control mechanisms, so when they were added, wrapping it via hosts.allow was deprecated, but the author(s) didn't want to break compatability. Dima Dorfman dima@unixfreak.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010106081428.301233E02>