On Wed, Jan 12, 2005 at 10:42:10PM -1000, Dwight Victor wrote: > Hmmm. If the wrapper is first to receive data, and finds > that the attempt should be denied, whouldn't it drop the > connection? Why would it pass the buffered information to > the SSH daemon? How can you implement a buffer overflow on > a dropped connection? I think the wrapper should work in a > similar manner to iptables and drop all subsequent data after > determining that the attempt is denied.
If you run lsof or netstat on your system, you should see that sshd, and not tcpd, is listening on tcp/22. Tcpd is not invoked, and does not shield sshd from attacks. -Vince