VETO! Re: heads up: tcpwrappers support going away
lionelcons1972 at gmail.com
Sun Apr 27 02:18:37 EST 2014
On 26 April 2014 18:14, Nico Kadel-Garcia <nkadel at gmail.com> wrote:
> On Sat, Apr 26, 2014 at 11:57 AM, Nicolai
> <nicolai-openssh at chocolatine.org> wrote:
>> On Fri, Apr 25, 2014 at 08:35:08PM -0500, Karl O. Pinc wrote:
>>> I bet sshd could be run from a tcpwrapper enabled inetd
>>> using 'sshd -D'.
>> Good point. I use -ieDf for ssh over CurveCP and it works like a charm
>> even on old hardware. So really, the desired functionality will still
>> be in OpenSSH, and there will still be at least two distinct ways of
>> getting it (instead of three). It's sensible to remove duplicate
>> functionality in OpenSSH, particularly where it's better placed
>> So people can look at -i and -D flags. They work!
> Isn't it significantly more efficient to allow sshd to do its own
> forks, rather than doing 'ssd -D' and having one new daemon running
> for every connection? I'm not personally convinced it's "better placed
> elsewhere". If tcp_wrappers is yanked out, perhaps a friendly note in
> the documentation explaining just this suggestion would help replace
Sure. The documentation will be a fully-blown CERN Security
announcement that openssh dropped a vital security feature.
We've just drafted one and will submit it once the matching openssh
release will hit the release download area.
More information about the openssh-unix-dev