Date: Fri, 21 Feb 2020 11:49:17 -0500 From: Ed Maste <emaste@freebsd.org> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: FreeBSD Current <freebsd-current@freebsd.org>, freebsd-security@freebsd.org Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd Message-ID: <CAPyFy2DZnHJDqsvFD_FzUz-hH9G5iVCbOb0UkELP5BWGn9KaSA@mail.gmail.com> In-Reply-To: <AC78F4EA-164A-41F7-BFE5-92DF682F71DB@lists.zabbadoz.net> References: <CAPyFy2Die2tynFM3m3-5zBtWAOpHf-QHY-bE2JY7KKGiP8Tz_Q@mail.gmail.com> <AC78F4EA-164A-41F7-BFE5-92DF682F71DB@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 15 Feb 2020 at 05:03, Bjoern A. Zeeb <bzeeb-lists@lists.zabbadoz.net> wrote: > > I am also worried that the change will make a lot of machines > unprotected upon updating to 13 if there is no big red warning flag > before the install. At least having sshd emit a warning is a prerequisite, certainly. I don't yet know if there's a way via libwrap's API to determine if rules are in place; there's a bit of investigation needed here still. > I do understand the burden of maintaining a local patch (we lost the HA > patches from base this way already). Indeed. As you pointed out the libwrap patch is very small and easy to review and reason about. My bigger concern is that libwrap is essentially abandonware, and it has been dropped by just about everyone else. As far as I know Debian is still patching libwrap support into sshd but not anyone else. It seems starting sshd from inetd via tcpd is a reasonable approach for folks who want to use it; also, have folks using libwrap looked at sshd's Match blocks to see if they provide the desired functionality?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2DZnHJDqsvFD_FzUz-hH9G5iVCbOb0UkELP5BWGn9KaSA>