Call for testing: OpenSSH 6.7

Kevin Brott kevin.brott at gmail.com
Tue Aug 19 13:04:04 EST 2014 

Going to throw in my $.02 here (late) but I really think this is a bad
move.  AIX doesn't natively do tcp wrappers (yes there is a *shudder* rpm
for it), but I literally just today stopped a minor syslog DoS caused by
some "monitoring" software slamming at my sshd process every second and
causing auth.log to grow like nobody's business, making it unparseable and
full of useless noise.

How did I stop it quickly? Created a /etc/hosts.deny file and threw this
into it ... knowing that sshd would process it and silently drop the
connections:
sshd : ip.add.re.ss : severity debug : deny

Yes, I could have run genfilt, if the server had ipsec4 filtering already
configured and running (it didn't).  But I could write out a one-line file,
bounce sshd, and voila!  Silent droppage of unwanted connections (except
into the separate debug log I was using for evidence).

I know it's a moot point at this juncture, but I disagree with the decision.



On Mon, Aug 18, 2014 at 5:11 PM, Iain Morgan <imorgan at nas.nasa.gov> wrote:

> On Mon, Aug 18, 2014 at 11:23:41 +1000, Damien Miller wrote:
> > Hi,
> >
> > OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> > on as many platforms and systems as possible. This is a big release
> > containing a number of features, a lot of internal refactoring and some
> > potentially-incompatible changes.
> >
>
> The 20140819 snapshot successfully builds and passes the tests on RHEL
> 6.5/x86_64 w/OpenSSL 1.0.1i.
>
> Regarding the removal of TCP wrapper support, it would be good to remove
> references to it in the contrib/*/openssh.spec files:
>
> % egrep -i 'netkit|wrapper|tcpd' */openssh.spec
> caldera/openssh.spec:            --with-tcp-wrappers \
> redhat/openssh.spec:BuildRequires: perl, openssl-devel, tcp_wrappers
> redhat/openssh.spec:    --with-tcp-wrappers \
> suse/openssh.spec:#   TCP Wrappers (tcpd-devel),
> suse/openssh.spec:BuildPrereq:  tcpd-devel
> suse/openssh.spec:- Added flag to configure daemon with TCP Wrappers
> support
> suse/openssh.spec:              --with-tcp-wrappers \
>
> There are also references to tcpd or libwrap in INSTALL and
> contrib/cygwin/README that should probably be removed or revised.
>
> --
> Iain Morgan
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>



-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */

More information about the openssh-unix-dev mailing list