AllowHosts / DenyHosts

Damien Miller djm at
Thu Mar 1 00:20:11 EST 2001

On Wed, 28 Feb 2001, Yuliy Minchev wrote:

> re
> > > There are some old (or exotic) systems which haven't nor ip
> > > filtering capabilities, nor tcp-wrapper.  So it would be a good
> > > think if OpenSSH can handle Allow/Deny clauses.
> >
> > tcp-wrappers is _very_ portable. What platforms that OpenSSH supports
> > are not supported by TCP wrappers?
> In fact you are right.  But if I want just to run OpenSSH on some hosts
> and to control access - why should I need to install yet another program
> (tcp-wrapper) and then to track yet another program (tcp-wrapper) for new
> bugs discovered?

TCP wrappers hasn't had a security bug in years IIRC.

> It's enough that you need zlib/openssl/egd to install OpenSSH on some
> machines.
> It's a good thing that in 2.5 there is an internal way to gather entropy.
> Someone said a few weeks ago, he wants to see OpenSSH capable to compile
> without you have installed openssl and zlib.

This will never happen, if anything we will be using more 3rd party
libraries in the future rather than less (libkeynote, libedit, etc).


| Damien Miller <djm at> \ ``E-mail attachments are the poor man's
|          /   distributed filesystem'' - Dan Geer

More information about the openssh-unix-dev mailing list