Feature disappeared?
Pekka Savola
pekkas at netcore.fi
Mon Oct 30 22:55:29 EST 2000
On Mon, 30 Oct 2000, Gert Doering wrote:
> Well, dropping AllowHosts doesn't mean dropping functionality (because it
> can be done via TCP wrappers).
>
> Dropping AllowSHosts means "I can't do that anymore", which should have
> security reasons, which I don't see any right now...
True. Now you just have to run these on separate boxes, or separate
ports.
> > I nagged about AllowHosts _a lot_ but eventually patched TCP Wrappers so
> > that it can take more complex host definitions too (like *isdn1*.isp.com).
>
> What's your gripe with AllowHosts?
That it was dropped in OpenSSH.
As for the reasons of griping, regular TCP wrappers are rather inflexible.
Here's an example. ISP might define its address pools like
blahlah12311.newyork5.isp.com
blahlah12311.newyork6.isp.com
blahlah12311.newyork7.isp.com
blahlah12311.newyork8.isp.com
blahlah12311.newyork9.isp.com
[ etc. the point is newyorkX ]
With regular TCP Wrappers, the only chance you have to define these,
really, are:
.newyork5.isp.com
.newyork6.isp.com
[etc.]
Or using IP addresses and netmasks, which unfortunately doesn't usually
help a bit (if the addresses haven't been allocated nicely) and isn't as
informational when you read it.
Now, consider an AllowHosts/modified tcp-wrappers rule:
blah*.newyork?.isp.com
No pain. '*' and '?' wildcards _do_ come in handy sometimes..
--
Pekka Savola "Tell me of difficulties surmounted,
Pekka.Savola at netcore.fi not those you stumble over and fall"
More information about the openssh-unix-dev
mailing list