From owner-freebsd-security@freebsd.org  Fri Feb 14 23:59:09 2020
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 06933247396;
 Fri, 14 Feb 2020 23:59:09 +0000 (UTC)
 (envelope-from imb@protected-networks.net)
Received: from mail.protected-networks.net (mail.protected-networks.net
 [IPv6:2001:470:8d59:1::8])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "mail.protected-networks.net",
 Issuer "Protected Networks CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48K9Mb0cjkz4SmC;
 Fri, 14 Feb 2020 23:59:06 +0000 (UTC)
 (envelope-from imb@protected-networks.net)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=
 protected-networks.net; h=content-language:content-type
 :content-type:in-reply-to:mime-version:user-agent:date:date
 :message-id:from:from:references:subject:subject; s=201508; t=
 1581724739; bh=kcYuZ3kds2MbJai38NOHPokoVuRhCeGsMaz2q8q5+Mo=; b=i
 3BexYYL9c4DT0Y4NWvqokCAyX0ySnIWKYuvKKHHbd5JOzhpULoe2RqWQNg1W7BJh
 snVfbSejE1ukdfynazgkSq25Ut8nn+iAOuFVwK/JfMlXv1yqaJ2Nr4ctTidsSEUB
 OgRkY91TI3HwWFZ4HSqNWwdPTu21fHUG4mrb3y4H3E=
Received: from toshi.auburn.protected-networks.net
 (toshi.auburn.protected-networks.net [192.168.1.10])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (Client did not present a certificate)
 (Authenticated sender: imb@mail.protected-networks.net)
 by mail.protected-networks.net (Postfix) with ESMTPSA id A2914CBBC;
 Fri, 14 Feb 2020 18:58:59 -0500 (EST)
Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers
 support in sshd
To: Ben Woods <woodsb02@gmail.com>
Cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org
References: <CAPyFy2Die2tynFM3m3-5zBtWAOpHf-QHY-bE2JY7KKGiP8Tz_Q@mail.gmail.com>
 <4627295.A1yGqSNMk2@deborah>
 <CAOc73CCtw2TKhfCQUcaPAri8CTgL2Vnb3UKV0y1dnrYo_iaxTA@mail.gmail.com>
From: Michael Butler <imb@protected-networks.net>
Message-ID: <618e2a2b-4d27-8860-7061-77bdf9e3967a@protected-networks.net>
Date: Fri, 14 Feb 2020 18:58:59 -0500
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101
 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <CAOc73CCtw2TKhfCQUcaPAri8CTgL2Vnb3UKV0y1dnrYo_iaxTA@mail.gmail.com>
Content-Language: en-NZ
X-Rspamd-Queue-Id: 48K9Mb0cjkz4SmC
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=protected-networks.net header.s=201508 header.b=i 3BexYY;
 dmarc=none;
 spf=pass (mx1.freebsd.org: domain of imb@protected-networks.net designates
 2001:470:8d59:1::8 as permitted sender)
 smtp.mailfrom=imb@protected-networks.net
X-Spamd-Result: default: False [-5.05 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[];
 R_DKIM_ALLOW(-0.20)[protected-networks.net:s=201508];
 NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+mx];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
 DMARC_NA(0.00)[protected-networks.net]; TO_DN_SOME(0.00)[];
 URI_COUNT_ODD(1.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 DKIM_TRACE(0.00)[protected-networks.net:+];
 FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+,1:+,2:~];
 IP_SCORE(-3.55)[ip: (-9.45), ipnet: 2001:470::/32(-4.65), asn: 6939(-3.58),
 country: US(-0.05)]; 
 ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[];
 RCVD_COUNT_TWO(0.00)[2]
X-Mailman-Approved-At: Sat, 15 Feb 2020 07:26:33 +0000
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2020 23:59:09 -0000

On 2/14/20 6:37 PM, Ben Woods wrote:
> On Sat, 15 Feb 2020 at 4:27 am, Joey Kelly <joey@joeykelly.net> wrote:
>
>> On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote:
>>> Upstream OpenSSH-portable removed libwrap support in version 6.7,
>>> released in October 2014. We've maintained a patch in our tree to
>>> restore it, but it causes friction on each OpenSSH update and may
>>> introduce security vulnerabilities not present upstream. It's (past)
>>> time to remove it.
>>
>> So color me ignorant, but how does this affect things like DenyHosts? Or
>> is
>> there an in-application way to block dictionary attacks? I can't go back
>> to
>> having my servers pounded on day and night (and yes, I listed on an
>> alternative port).
>
>
> DenyHosts can be configured to use PF firewall tables directly, rather than
> using TCP wrappers:
> https://github.com/denyhosts/denyhosts/blob/master/denyhosts.conf#L261
>
Requiring the addition of a firewall where there was none before is a
significant and potentially error-prone change. I am not about to add
this degree of complexity to every machine which only has a single port
exposed via NAT.


To maintain equivalent functionality, the port version
(security/openssh-portable) has the requisite patch as an option or,
perhaps better, the base SSHD can be run from INETD and, consequently,
TCP-wrapped as it was before,


    imb