heads up: tcpwrappers support going away

Petr Lautrbach plautrba at redhat.com
Tue Apr 22 19:07:11 EST 2014

On 04/22/2014 09:33 AM, Damien Miller wrote:
> Hi,


> This is an early warning: OpenSSH will drop tcpwrappers in the next
> release. sshd_config has supported the Match keyword for a long time
> and it is possible to express more useful conditions (e.g. matching
> by user and address) than tcpwrappers allowed.

I'd agree that you can express more useful conditions using Match but it is
used in other application level than tcpwrappers.

Using tcpwrappers, you can drop a connection before even the server identification
string is sent, while Match block is applied after the transport layer is established.

You don't have to restart sshd every time you want to change conditions in tcpwrappers, while
every change in sshd_config has to be confirmed by restart.

> Removing it reduces the amount of code in the 'hot' pre-authentication
> path in sshd and rids us of a dependency.

I can see only 17 lines of code in sshd.c around if (!hosts_access(&req)).

The tcpwrappers support is already optional so it is not a hard dependency.

Petr Lautrbach
Security Technologies
Red Hat

Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140422/89655bcb/attachment.bin>

More information about the openssh-unix-dev mailing list