heads up: tcpwrappers support going away

Iain Morgan imorgan at nas.nasa.gov
Thu Apr 24 05:26:58 EST 2014


On Wed, Apr 23, 2014 at 21:39:27 +1000, Damien Miller wrote:
> On Wed, 23 Apr 2014, Alex Bligh wrote:
> 
> > On 22 Apr 2014, at 23:31, James Cloos wrote:
> > 
> > >>>>>> "DM" == Damien Miller <djm at mindrot.org> writes:
> > > 
> > > DM> This is an early warning: OpenSSH will drop tcpwrappers in the next
> > > DM> release.
> > > 
> > > This will need a wider announcement.  Most auto-block solutions I've
> > > looked at add entries to hosts.allow.
> > 
> > +1. Denyhosts suddenly stopping working is not a great plan.
> > 
> > Personally I don't want an automated script futzing with iptables,
> 
> as opposed to letting one futz with something that can execute shell
> commands?
> 
> A simple way out of this would be adding "Match exec" support to sshd_config
> like ssh_config got in the last couple of releases. Anyone want to do this?
> 
> -d

This wouldn't be a drop-in solution, but pam_access might be an option
for platforms that support PAM. The syntax is similar, but not
equivalent to libwrap. Admittedly, this has the disadvantage that a
rejection would occur later in the connection process, so it might not
be suitable in all cases.

A slightly better solution would be a PAM module that uses the same
syntax as libwrap. Possibly someone has already written such a module.

-- 
Iain Morgan


More information about the openssh-unix-dev mailing list