heads up: tcpwrappers support going away

Morham opensshdev at r.paypc.com
Wed Apr 23 19:21:21 EST 2014

On 4/23/2014 1:54 AM, Corinna Vinschen wrote:
> Assuming you're updating your Linux distro.  You're using tcp_wrappers
> in conjunction with OpenSSH for years.  The distro update comes with
> OpenSSH 6.7, now without tcp_wrappers support.  But the OpenSSH update
> is just one updated package of several hundreds or thousands.  How
> many users will not even get the information that their tcp_wrappers
> installation doesn't work anymore?
> tcp_wrappers might be an old concept, but simply pulling the plug and
> removing the few lines required to support it seems a bit heavy-handed
> considering what effect this may have.

Absolutely.  While I agree with some of the impetus behind the 
abandonment of tcpwrappers, I do think it's time for FOSS projects to 
stop operating as if their projects comprise the Alpha and Omega of 
peoples' systems.

At the very least, a full cycle of announcing the retirement/obsoletion 
of the feature in question, followed by issuing a "heads up!" to all 
distros to warn them that potentially significant consequences will 
result from people upgrading past a certain version.

While systems that "fail badly", i.e., result in unreachable SSHDs are 
no doubt quickly noticed and redressed by sysadmins, of more worry are 
those that simply "work as before" but without the limitations defined 
at some point in the nebulous past by sysadmins before them.

I realise that these maintenance tasks are mostly unpaid and thankless, 
and such recommendations are no doubt unwelcome as addition burdens, but 
this *IS* ssh we're talking about.

I don't know about others in the Linux/BSD-server-sphere, but aside from 
only DNS, I cannot think of a single thing I expect to work "perfectly" 
  let alone "securely", hundreds of times per day.  To me, it's more 
important than httpd.


More information about the openssh-unix-dev mailing list