Re-install libwrap in OpenSSH
Stephan von Krawczynski
skraw at ithnet.com
Wed May 20 19:48:51 AEST 2015
Hello all,
after a useless discussion on the opensuse ML I had to find out that they
buried the removal news of libwrap last year in some half-sentence. So this is
unfortunately pretty late for the topic. Nevertheless it is pretty obvious
that you did not get any feedback from people using ssh over decades in
server-administration. Let me make a clear point: libwrap removal was a pretty
bad idea. It is a well-used security feature that is _not_ replaceable by your
match-statement. As a first libwrap has features that match does not have.
Second libwrap is easy-to-use and offers a possibility to make securtiy
adjustments in _one_ file for nearly all services, whereas you propose to edit
proprietary config files of all services with proprietary config statements
for each service. If you have 20 of those you end up editing 20 config files
in 20 different places in the fs with at least 20 different statements. This
is _shit_. I am not against your match statement, leave it as is. But do not
drop libwrap. If you deny libwrap somebody will fork the project for sure.
libwrap has not changed for years because it simply works. And firewall rules
are no replacement for it, because libwrap is not only an ip filter. It seems
you did not know that when you made the wrong decision. Please cc me in case
as I am not reading the list.
--
Regards,
Stephan
More information about the openssh-unix-dev
mailing list