Date: Sat, 22 Feb 2020 11:21:47 -0500 From: Michael Butler <imb@protected-networks.net> To: Ed Maste <emaste@freebsd.org> Cc: FreeBSD Current <freebsd-current@freebsd.org>, freebsd-security@freebsd.org Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd Message-ID: <87d666aa-5091-0a35-71eb-6bd321f955a6@protected-networks.net> In-Reply-To: <CAPyFy2DZnHJDqsvFD_FzUz-hH9G5iVCbOb0UkELP5BWGn9KaSA@mail.gmail.com> References: <CAPyFy2Die2tynFM3m3-5zBtWAOpHf-QHY-bE2JY7KKGiP8Tz_Q@mail.gmail.com> <AC78F4EA-164A-41F7-BFE5-92DF682F71DB@lists.zabbadoz.net> <CAPyFy2DZnHJDqsvFD_FzUz-hH9G5iVCbOb0UkELP5BWGn9KaSA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/21/20 11:49 AM, Ed Maste wrote: > It seems starting sshd from inetd via tcpd is a reasonable approach > for folks who want to use it; also, have folks using libwrap looked at > sshd's Match blocks to see if they provide the desired functionality? While match blocks can disallow a login from anything other than an approved source address, they apparently permit the configured number of failed attempts before throwing the prospective intruder out. With the wrappers, it's an immediate disconnect. They also have no mechanism to recognize a DNS mismatch (forward versus reverse map). imb
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87d666aa-5091-0a35-71eb-6bd321f955a6>