heads up: tcpwrappers support going away
Morham
opensshdev at r.paypc.com
Wed Apr 23 19:21:21 EST 2014
On 4/23/2014 1:54 AM, Corinna Vinschen wrote:
> Assuming you're updating your Linux distro. You're using tcp_wrappers
> in conjunction with OpenSSH for years. The distro update comes with
> OpenSSH 6.7, now without tcp_wrappers support. But the OpenSSH update
> is just one updated package of several hundreds or thousands. How
> many users will not even get the information that their tcp_wrappers
> installation doesn't work anymore?
>
> tcp_wrappers might be an old concept, but simply pulling the plug and
> removing the few lines required to support it seems a bit heavy-handed
> considering what effect this may have.
Absolutely. While I agree with some of the impetus behind the
abandonment of tcpwrappers, I do think it's time for FOSS projects to
stop operating as if their projects comprise the Alpha and Omega of
peoples' systems.
At the very least, a full cycle of announcing the retirement/obsoletion
of the feature in question, followed by issuing a "heads up!" to all
distros to warn them that potentially significant consequences will
result from people upgrading past a certain version.
While systems that "fail badly", i.e., result in unreachable SSHDs are
no doubt quickly noticed and redressed by sysadmins, of more worry are
those that simply "work as before" but without the limitations defined
at some point in the nebulous past by sysadmins before them.
I realise that these maintenance tasks are mostly unpaid and thankless,
and such recommendations are no doubt unwelcome as addition burdens, but
this *IS* ssh we're talking about.
I don't know about others in the Linux/BSD-server-sphere, but aside from
only DNS, I cannot think of a single thing I expect to work "perfectly"
let alone "securely", hundreds of times per day. To me, it's more
important than httpd.
=M=
More information about the openssh-unix-dev
mailing list