Re-install libwrap in OpenSSH

Peter Stuge peter at stuge.se
Wed May 20 22:46:57 AEST 2015


Stephan von Krawczynski wrote:
> it is pretty obvious

I guess you're not only not subscribed to the development list, but
you seem to also not have looked at the list archives.

You can only seem like a troll if you act as if you know best but
in fact you are wrong. It's up to you whether you want to risk that
of course, but it's dangerous for your case.


> libwrap removal was a pretty bad idea.

There was discussion. I recommend that you look for it in the
archives, so that you can join the discussion without repeating
what has already been said.


> _not_ replaceable by your match-statement.

This rhetoric makes it sound like it is very important for you to
distance yourself from the OpenSSH developers. That may not be such
a great strategy when you want someone to do something for you.

The rationale is that firewall rules can replace libwrap and that
removing libwrap removes a significant attack surface exposed to the
network.


> make securtiy adjustments in _one_ file for nearly all services
> whereas you propose to edit proprietary config files of all
> services with proprietary config statements for each service.

If you actually care about security then don't you need to hand-craft
those config files regardless of libwrap?

And 20 services on one system? That seems a high number to me.


> If you deny libwrap

That is already the case.

> somebody will fork the project for sure.

Go for it. I think uptake will be limited. I think your best bet will
be for you to contribute modifications to your prefered distribution.


> you made the wrong decision. Please cc me in case as I am not
> reading the list.

If you had been reading the list you would already have known
everything I wrote in this email.


//Peter


More information about the openssh-unix-dev mailing list