AllowHosts / DenyHosts
Dan Kaminsky
dankamin at cisco.com
Wed Feb 28 20:55:49 EST 2001
> > Is there any chance for this feature to be included? No, we don't want
to
> > use tcp-wrapper for this.
>
> why should every feature, even if there exist special solutions,
> included in openssh? you can deny ip-addresses with tcp-wrapper,
> ipfw, ipf, etc, etc.
Markus--
We already allow per-host configuration for the client in readconf.c;
any objection to adding similar functionality to the server in servconf.c?
This would let us do such things as allow X forwarding from the one lab that
critically needs it but keep it banned it for everyone else. And, since the
moment the server gets host-switching configs, it becomes trivial to ban
authentication(simply disable all methods), one might as well save on the
crypto expense as well and let certain hosts(users?) simply trigger a
fatal() on contact.
To be honest, most DMZ accessable daemons tend to include internal
controls, particularly for cross platform compatibility, consistent
configuration, and per-protocol flexibility. I'm not saying we should adopt
the exact options that SSH2 has--nice and simple as they are, they're not
particularly flexible. But I can see the value in what people are asking
for, and I think we can do it even better than its been done.
There is, of course, the inevitable problem. If you can't *trust* IP
addresses, just user authenticators, then what are you doing switching your
configurations based on addresses? I'd like to stick to cryptographic
keys--finally, a genuine use for rhostsrsa?--but clearly we can enhance
security by ruling out entire swaths of attackers simply due to their
unspoofed address space.
This is clearly a useful thing, though--or else tcp wrappers et al
wouldn't be brought up.)
Yours Truly,
Dan Kaminsky, CISSP
www.doxpara.com
More information about the openssh-unix-dev
mailing list