From owner-freebsd-current@freebsd.org Sat Feb 15 10:03:31 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E3D12255408; Sat, 15 Feb 2020 10:03:31 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:13b:39f::9f:25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 48KQmz5lGkz43RS; Sat, 15 Feb 2020 10:03:31 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 8A7FF8D4A156; Sat, 15 Feb 2020 10:03:24 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 5D980E707CB; Sat, 15 Feb 2020 10:03:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id M049vHU-Gc5o; Sat, 15 Feb 2020 10:03:23 +0000 (UTC) Received: from [169.254.231.217] (unknown [IPv6:fde9:577b:c1a9:4902:2948:8696:a28b:d1bb]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 07BA2E707AD; Sat, 15 Feb 2020 10:03:22 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Ed Maste" Cc: "FreeBSD Current" , freebsd-security@freebsd.org Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd Date: Sat, 15 Feb 2020 10:03:21 +0000 X-Mailer: MailMate (2.0BETAr6146) Message-ID: In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 48KQmz5lGkz43RS X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-6.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Feb 2020 10:03:32 -0000 On 14 Feb 2020, at 18:18, Ed Maste wrote: Hi Ed, > Although the specific deprecation steps aren't yet fleshed out I'm > sending this as an early notice that I plan to disable libwrap support > from the base system sshd and that FreeBSD 13 will not support it. I’ll be sad to run inetd again on systems so that I can run a wrapped sshd. Like others I feel that adding firewalls to a machine simply to filter sshd is not an option and whatever else openssh itself has offered in the past never sufficed. I am also worried that the change will make a lot of machines unprotected upon updating to 13 if there is no big red warning flag before the install. I do understand the burden of maintaining a local patch (we lost the HA patches from base this way already). Given the port already does maintain the patch I am wondering what “security guarantees” we provide for the port compared to the base system (ignoring possible security updates) or why the patch cannot be included in base? Compared to the HA patch, this one seems to be sillily small.. /bz