AllowHosts / DenyHosts

Dan Kaminsky dankamin at cisco.com
Wed Feb 28 20:55:49 EST 2001


> > Is there any chance for this feature to be included? No, we don't want
to
> > use tcp-wrapper for this.
>
> why should every feature, even if there exist special solutions,
> included in openssh? you can deny ip-addresses with tcp-wrapper,
> ipfw, ipf, etc, etc.

Markus--

    We already allow per-host configuration for the client in readconf.c;
any objection to adding similar functionality to the server in servconf.c?
This would let us do such things as allow X forwarding from the one lab that
critically needs it but keep it banned it for everyone else.  And, since the
moment the server gets host-switching configs, it becomes trivial to ban
authentication(simply disable all methods), one might as well save on the
crypto expense as well and let certain hosts(users?) simply trigger a
fatal() on contact.

    To be honest, most DMZ accessable daemons tend to include internal
controls, particularly for cross platform compatibility, consistent
configuration, and per-protocol flexibility.  I'm not saying we should adopt
the exact options that SSH2 has--nice and simple as they are, they're not
particularly flexible.  But I can see the value in what people are asking
for, and I think we can do it even better than its been done.

    There is, of course, the inevitable problem.  If you can't *trust* IP
addresses, just user authenticators, then what are you doing switching your
configurations based on addresses?  I'd like to stick to cryptographic
keys--finally, a genuine use for rhostsrsa?--but clearly we can enhance
security by ruling out entire swaths of attackers simply due to their
unspoofed address space.
This is clearly a useful thing, though--or else tcp wrappers et al
wouldn't be brought up.)

Yours Truly,

    Dan Kaminsky, CISSP
    www.doxpara.com








More information about the openssh-unix-dev mailing list