Mailing List Archive

On Wed, 23 Jun 2021, Saint Michael wrote:

> The point is: this decision should not have been taken. In any case, it
> should have been converted to an option, maybe an option in
> /etc/ssh/sshd_config.
> Can we fix it?

No - we have no intention of bringing libwrap back. It's a horrible
interface that makes a lot of assumptions about the caller (e.g. it
uses longjmp(3) internally). It shambled out of the 1990s - a time when
hosts and applications lacked similar controls of their own.

It has been comprehensively superseded by better controls both inside
sshd (e.g. the match directive in sshd_config) and included in modern
operating systems (e.g. built-in packet filtering, libpam).

If you really really want libwrap, then you can still get it by
running sshd under a supporting inetd or wrapper program. Alternately,
I think there's a PAM module that implements it.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Wed, 23 Jun 2021, Robinson, Herbie wrote:

> The problem is that the people who invented security audits never
> remove anything from the list of things they will ding you with… If
> you are getting paid to pass all of these benchmarks, you have keep
> everything around forever.

Yeah, procrustean auditors can be a hassle, but the magic words
"equivalent security control" can solve a lot of audit-related
problems.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On 24/6/21 12:24 am, Saint Michael wrote:
> I compiled the latest version, 8.1, inside Centos 7.9, and to my dismay,
> there was no support for libwrap, which offers a level of protection that
> is added to a firewall, but in my opinion, it works better.
Why can't you use tcpd and sshd -i?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On 6/25/21 3:46 AM, David Newall wrote:
> On 24/6/21 12:24 am, Saint Michael wrote:
>> I compiled the latest version, 8.1, inside Centos 7.9, and to my dismay,
>> there was no support for libwrap, which offers a level of protection that
>> is added to a firewall, but in my opinion, it works better.
> Why can't you use tcpd and sshd -i?

If you want, you can as I played with it when we were removing this from
Fedora:

https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers#Migration_to_tcpd

Its not nice, you need some tweaks from the default OS installation, but
if this is really your only layer of defense you need to rely on, it is
indeed possible.

Regards,
--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev