AllowHosts / DenyHosts

Damien Miller djm at mindrot.org
Thu Mar 1 00:20:11 EST 2001


On Wed, 28 Feb 2001, Yuliy Minchev wrote:

>
> re
>
> > > There are some old (or exotic) systems which haven't nor ip
> > > filtering capabilities, nor tcp-wrapper.  So it would be a good
> > > think if OpenSSH can handle Allow/Deny clauses.
> >
> > tcp-wrappers is _very_ portable. What platforms that OpenSSH supports
> > are not supported by TCP wrappers?
>
> In fact you are right.  But if I want just to run OpenSSH on some hosts
> and to control access - why should I need to install yet another program
> (tcp-wrapper) and then to track yet another program (tcp-wrapper) for new
> bugs discovered?

TCP wrappers hasn't had a security bug in years IIRC.

> It's enough that you need zlib/openssl/egd to install OpenSSH on some
> machines.
> It's a good thing that in 2.5 there is an internal way to gather entropy.
>
> Someone said a few weeks ago, he wants to see OpenSSH capable to compile
> without you have installed openssl and zlib.

This will never happen, if anything we will be using more 3rd party
libraries in the future rather than less (libkeynote, libedit, etc).

-d

-- 
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan Geer






More information about the openssh-unix-dev mailing list