On Apr 07, Bernd Zeimetz wrote:
> There are more than enough ways to keep the entries based on dns
> records in your l3 firewalls uptodate, I can't see how this should
> warrant to keep yet another patch Jan^WMarco.
Not for the form *.domain.tld.
--
ciao,
Marco
signature.asc
Description: PGP
On Tue, 2024-04-02 at 12:04 +0200, Marco d'Itri wrote:
> On Apr 02, Colin Watson wrote:
>
> > At the time, denyhosts was popular, but it was removed from Debian
> > several years ago. I remember that, when I dealt with that on my
> > own
> > systems, fail2ban seemed like the obvious
On Thu, Apr 04, 2024 at 06:42:08PM -0300, Henrique de Moraes Holschuh wrote:
> If libwrap is bringing in complex libs, maybe we could reduce the
> attack surface on libwrap itself? It would be nice to have a variant
> that only links to the libc and that's it...
Yeah, that's
On Tue, Apr 2, 2024, at 07:04, Marco d'Itri wrote:
> On Apr 02, Colin Watson wrote:
>
>> At the time, denyhosts was popular, but it was removed from Debian
>> several years ago. I remember that, when I dealt with that on my own
>> systems, fail2ban seemed like the obvious replacement, and my
On Wed, Apr 03, 2024 at 04:01:34PM -0400, Michael Stone wrote:
> To speed things up for those who really want it, perhaps make
> openssh-client/server dependency-only packages on
> openssh-client/server-nogss? People can choose the less-compatible version
> for this release if they want to, and
On Tue, Apr 02, 2024 at 01:30:10AM +0100, Colin Watson wrote:
* add dependency-only packages called something like
openssh-client-gsskex and openssh-server-gsskex, depending on their
non-gsskex alternatives
* add NEWS.Debian entry saying that people need to install these
packages
On Wed, Apr 03, 2024 at 04:38:19PM +0200, Marc Haber wrote:
> On Wed, 03 Apr 2024 14:10:37 +0100, "Jonathan Dowland"
> wrote:
> >For you and fellow greybeards, perhaps: I'd be surprised if many people
> >younger than us have even heard of tcp wrappers. I don't think the
> >muscle memory of a
Colin Watson writes:
> GSS-API key exchange
>
> However, OpenSSH upstream has long rejected it
> All the same, I'm aware that some people now depend on having this
> facility in Debian's main openssh package
> How does this rough plan sound?
>
> * for Debian trixie
On Tue, Apr 02, 2024 at 12:04:26PM +0200, Marco d'Itri wrote:
> Yes, people. I object to removing TCP wrappers support since the patch
> is tiny and it supports use cases like DNS-based ACLs which cannot be
> supported by L3 firewalls.
I suspect OpenSSH upstream would also want me to point out
On Apr 02, Colin Watson wrote:
> You could use a drop-in unit to wrap sshd in tcpd, as suggested by the
> Fedora wiki page? This would avoid exposing sshd's process space to
> libwrap and all the stuff it links to by default.
This would require to switch to socket activation of sshd, which is
On Tue, Apr 02, 2024 at 12:04:26PM +0200, Marco d'Itri wrote:
> On Apr 02, Colin Watson wrote:
> > At the time, denyhosts was popular, but it was removed from Debian
> > several years ago. I remember that, when I dealt with that on my own
> > systems, fail2ban seemed like the obvious
On Tue, 2 Apr 2024 at 02:30, Colin Watson wrote:
>
> [I've CCed openssh-unix-dev for awareness, but set Mail-Followup-To to
> just debian-devel and debian-ssh to avoid potentially spamming them with
> a long discussion. If you choose to override this then that's your
> call, but please be
On Apr 02, Colin Watson wrote:
> At the time, denyhosts was popular, but it was removed from Debian
> several years ago. I remember that, when I dealt with that on my own
> systems, fail2ban seemed like the obvious replacement, and my impression
> is that it's pretty widely used nowadays; it's
On Tue, Apr 02, 2024 at 03:27:30AM +0200, Christoph Anton Mitterer wrote:
> Do you think it will be possible to have still only one `ssh`, `scp`,
> etc. command and that will just use extra GSSAPI stuff if installed and
> needed by a certain connection?
It would be technically possible to retain
Damien Miller wrote:
> Another thing we're considering in OpenSSH is changing how we integrate
> with PAM. PAM's API demands loading modules into the authenticating
> process' address space, but obviously we've just been reminded that this
> is risky.
This was a long-standing problem with
In days of yore (Tue, 02 Apr 2024), Colin Watson thus quoth:
> TCP wrappers
>
Not used hosts.{allow,deny} for the last 17 years (since I started my
current employment) so I am biased. Honest opinion is that firewall and
fail2ban have pretty much obsoleted TCP wrappers.
> SELinux
>
Christoph Anton Mitterer writes:
> Actually I think that most sites where I "need"/use GSSAPI... only
> require the ticket for AFS, and do actually allow pubkey auth (but
> right now, one doesn't have AFS access then).
In past discussions of this patch, this has not been the case. One of the
Hey.
On Tue, 2024-04-02 at 01:30 +0100, Colin Watson wrote:
> All the same, I'm aware that some people now depend on having this
> facility in Debian's main openssh package: I get enough occasional
> bug
> reports to convince me that it's still in use.
Being one of those people, and having even
On Tue, 2 Apr 2024, Colin Watson wrote:
[I'm not subscribed to the debian-* lists, please Cc me in replies if
you want me to see them]
> [I've CCed openssh-unix-dev for awareness, but set Mail-Followup-To to
> just debian-devel and debian-ssh to avoid potentially spamming them
> with a long
[I've CCed openssh-unix-dev for awareness, but set Mail-Followup-To to
just debian-devel and debian-ssh to avoid potentially spamming them with
a long discussion. If you choose to override this then that's your
call, but please be mindful of upstream's time.]
Following the xz-utils backdoor, I'm
20 matches
Mail list logo
