heads up: tcpwrappers support going away

Damien Miller djm at mindrot.org
Thu Apr 24 10:07:13 EST 2014

On Thu, 24 Apr 2014, Damien Miller wrote:

> On Wed, 23 Apr 2014, Damien Miller wrote:
> > A simple way out of this would be adding "Match exec" support to sshd_config
> > like ssh_config got in the last couple of releases. Anyone want to do this?
> like this:
> Index: servconf.c

and applied using:

Match exec "/path/to/wrapssh '%h' '%a' '%l' '%A'"
	MaxAuthTries 0

with a helper as simple as: (btw, I'd accept a fleshed-out version of this
for contrib/ if anyone wants to do the work)

#include <syslog.h>
#include <tcpd.h>

main(int argc, char **argv)
	struct request_info req;

	openlog("sshd-tcpwrap", LOG_NDELAY|LOG_PERROR|LOG_PID, LOG_AUTH);
	/* Client host, client address, server host, server address */
	if (argc != 5) {
		syslog(LOG_ERR, "expected 4 arguments, got %d", argc - 1);
		return 2;
	    RQ_DAEMON, "sshd",
	    RQ_CLIENT_NAME, argv[1],
	    RQ_CLIENT_ADDR, argv[2],
	    RQ_SERVER_NAME, argv[3],
	    RQ_SERVER_ADDR, argv[4],
	if (!hosts_access(&req)) {
		syslog(LOG_ERR, "tcpwrappers refused connection");
		return 1;
	return 0;

More information about the openssh-unix-dev mailing list