From owner-freebsd-current@freebsd.org  Mon Feb 17 09:40:55 2020
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id EE7482532E8;
 Mon, 17 Feb 2020 09:40:55 +0000 (UTC) (envelope-from wjw@digiware.nl)
Received: from smtp.digiware.nl (smtp.digiware.nl [IPv6:2001:4cb8:90:ffff::3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 48Lf9y5pKxz4B7M;
 Mon, 17 Feb 2020 09:40:54 +0000 (UTC) (envelope-from wjw@digiware.nl)
Received: from router.digiware.nl (localhost.digiware.nl [127.0.0.1])
 by smtp.digiware.nl (Postfix) with ESMTP id 0A79223DE9;
 Mon, 17 Feb 2020 10:40:44 +0100 (CET)
X-Virus-Scanned: amavisd-new at digiware.com
Received: from smtp.digiware.nl ([127.0.0.1])
 by router.digiware.nl (router.digiware.nl [127.0.0.1]) (amavisd-new,
 port 10024)
 with ESMTP id hpPo8pA31hVu; Mon, 17 Feb 2020 10:40:43 +0100 (CET)
Received: from [192.168.10.9] (vaio [192.168.10.9])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by smtp.digiware.nl (Postfix) with ESMTPSA id 5575E23DE8;
 Mon, 17 Feb 2020 10:40:43 +0100 (CET)
Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers
 support in sshd
To: Borja Marcos <borjam@sarenet.es>, Ed Maste <emaste@freebsd.org>
Cc: freebsd-security@freebsd.org, FreeBSD Current <freebsd-current@freebsd.org>
References: <CAPyFy2Die2tynFM3m3-5zBtWAOpHf-QHY-bE2JY7KKGiP8Tz_Q@mail.gmail.com>
 <6418643B-4442-47FC-807D-5E9AA63EA4EA@sarenet.es>
From: Willem Jan Withagen <wjw@digiware.nl>
Message-ID: <43a8c8f1-8961-b6cf-3ad1-068b9d47a78c@digiware.nl>
Date: Mon, 17 Feb 2020 10:40:42 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101
 Firefox/68.0 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <6418643B-4442-47FC-807D-5E9AA63EA4EA@sarenet.es>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: nl
X-Rspamd-Queue-Id: 48Lf9y5pKxz4B7M
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of wjw@digiware.nl designates
 2001:4cb8:90:ffff::3 as permitted sender) smtp.mailfrom=wjw@digiware.nl
X-Spamd-Result: default: False [-5.35 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+mx]; FROM_HAS_DN(0.00)[];
 MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[];
 DMARC_NA(0.00)[digiware.nl]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 IP_SCORE(-3.05)[ip: (-9.52), ipnet: 2001:4cb8::/29(-4.66), asn: 28878(-1.10),
 country: NL(0.03)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:28878, ipnet:2001:4cb8::/29, country:NL];
 MID_RHS_MATCH_FROM(0.00)[]
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Feb 2020 09:40:56 -0000

On 17-2-2020 08:02, Borja Marcos wrote:
>
>> On 14 Feb 2020, at 19:18, Ed Maste <emaste@freebsd.org> wrote:
>>
>> Upstream OpenSSH-portable removed libwrap support in version 6.7,
>> released in October 2014. We've maintained a patch in our tree to
>> restore it, but it causes friction on each OpenSSH update and may
>> introduce security vulnerabilities not present upstream. It's (past)
>> time to remove it.
> There’s no way to fight it? I know it’s an old program (first time I used it was back in 1992 or so!)
> but it’s really convenient and easy to use.
>
I remember porting it to Apollo Domain OS with Wietse Venema when we both
worked at Eindhoven University. And Wiestse was complaining that PID 
were not
unique and sequential.

So my guess would be that its origin lies somewhere around 1986-1988..
At that  time TCPwrappers was a good part of security, since firewall 
and likes
  were close to hard to get and/or unavailable. But in current times 
there usually
are better ways to fix things, but I guess that all use something of a 
firewall
be it ipfw of pf. (using both sshguard, fail2ban or portsentry)

So it'll be said to see it go, but I guess it has served its purpose.

--WjW