Bringing back tcp wrappers

[Damien Miller]

On Wed, 23 Jun 2021, Saint Michael wrote:

> The point is: this decision should not have been taken. In any case, it
> should have been converted to an option, maybe an option in
> /etc/ssh/sshd_config.
> Can we fix it?

No - we have no intention of bringing libwrap back. It's a horrible
interface that makes a lot of assumptions about the caller (e.g. it
uses longjmp(3) internally). It shambled out of the 1990s - a time when
hosts and applications lacked similar controls of their own.

It has been comprehensively superseded by better controls both inside
sshd (e.g. the match directive in sshd_config) and included in modern
operating systems (e.g. built-in packet filtering, libpam).

If you really really want libwrap, then you can still get it by
running sshd under a supporting inetd or wrapper program. Alternately,
I think there's a PAM module that implements it.

-d