From owner-freebsd-current@freebsd.org  Wed Nov 11 17:53:56 2015
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 49191A2C669;
 Wed, 11 Nov 2015 17:53:56 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 3A13314C3;
 Wed, 11 Nov 2015 17:53:55 +0000 (UTC)
 (envelope-from marquis@roble.com)
Date: Wed, 11 Nov 2015 09:52:49 -0800 (PST)
From: Roger Marquis <marquis@roble.com>
To: =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>
cc: Bryan Drewery <bdrewery@FreeBSD.org>, freebsd-security@freebsd.org, 
 freebsd-current@freebsd.org
Subject: Re: OpenSSH HPN
In-Reply-To: <86r3jwfpiq.fsf@desk.des.no>
References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org>
 <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no>
 <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no>
User-Agent: Alpine 2.11 (BSF 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Mailman-Approved-At: Wed, 11 Nov 2015 18:29:44 +0000
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2015 17:53:56 -0000

On Wed, 11 Nov 2015, Dag-Erling Sm?rgrav wrote:
> I want to keep tcpwrapper support - it is another reason why I still
> haven't upgraded OpenSSH, but to the best of my knowledge, it is far
> less intrusive than HPN.

There's also inetd's tcpwrapper support if you call sshd from inetd for
D/DOS protection.  Inetd and its rate-limiting flags are strongly
recommended for security-minded systems.

Starting sshd from rc.d should never have been made the default, IMO, as
keygen delays are rarely relevant and weren't even back in the days of
300MHz CPUs (18 years ago).  The only reason inetd is not more widely
used today is that many sysadmins aren't familiar with it.

Roger Marquis