VETO! Re: heads up: tcpwrappers support going away

Ben Lindstrom mouring at eviladmin.org
Thu Apr 24 05:31:43 EST 2014


On Apr 23, 2014, at 12:51 PM, Irek Szczesniak <iszczesniak at gmail.com> wrote:

> Can I VETO that change, please?
> 
> tcpwrappers provides a *central* configuration to protect all services
> based on per IP address authentication. This is not perfect but
> greatly reduces the area exposed to possible attacks, long before any
> ssh auth code runs. Removing this functionality creates a lot more
> headaches for security people and marres opensshs otherwise good,
> multilayer security architecture.
> 
> Also, do you think that this change serves the needs of your
> customers? The first thing I can imagine is that *every* Linux distro
> on this planet just patches tcpwrappers support back into the code.

Let them.  Each distro has their pet patches that OpenSSH has rejected.  Personally, I'm glad to see us finally doing away with tcpwrapper.  It is a dark part of our history that should be scorched from the planet so we can get people to start doing stuff the right away.

- Ben


More information about the openssh-unix-dev mailing list