Re-install libwrap in OpenSSH

Darren Tucker dtucker at
Thu May 21 09:28:05 AEST 2015

On Thu, May 21, 2015 at 1:05 AM, Michael Stone <mstone at> wrote:

> On Wed, May 20, 2015 at 03:58:22PM +0200, Stephan von Krawczynski wrote:
>> Show me this as an example of your firewall skills and replace this
>> hosts.allow entry:
>> sshd: .... : spawn (echo -e "%u@%h[%a] on `/bin/date`" to %d connected
>> me |
>> /bin/mail -s "hosts.allow entry XYZ" root) & : ALLOW
>> This is only an example code, of course.
> It's an example of something really horrible. It might have seemed like a
> good idea in the 90s, but in a modern system that sort of alerting should
> be integrated into log monitoring (and should be much more comprehensive
> than a couple of services linked against wrappers).

Note that you can still do that by starting sshd under tcpd+inetd,
something like:

ssh stream tcp nowait root /usr/sbin/tcpd /usr/sbin/sshd -i

or the equivalent in your inetd-alike.  For SSHv2 connections it should be
about the same speed (it'll be slower for Protocol 1 connections because
each connection will need to generate a new ephemeral host key, but that's
probably a plus from a security standpoint).

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list