On Sep 15, 2015, at 12:50 PM, Alex Wilson <[email protected]> wrote:
> Plus you'll get support for the smartlogin plugin back, as well as any new > OpenSSH features you want to use. :) Speaking of which, a heads-up to people who might be using tcpwrappers (as I have been literally forever) - OpenSSH got rid of support for them about a year ago in 6.7. https://lwn.net/Articles/615173/ http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html While inconvenient, I agree with the rationale of having less code (particularly a codebase which dates to the distant past, notwithstanding the author's undeniable talents) in the pre-execution codepath. They recommend using the "Match" keyword in sshd_config to implement application-layer pickiness about who it talks to. [*] Since we're on the subject of refinements to ssh, it would sure be nice (once the patches are brought forward to 7.x) if the hpn-ssh ( http://www.psc.edu/index.php/hpn-ssh ) patches were applied to the default sshd/ssh here. Among other things the hpn patches bring better performance over long fat pipes, multi-core crypto and the ability to turn off crypto post-authentication when copying around non-sensitive stuff (use with care). The FreeBSD folks (who seem to be still using OpenSSH 6.6 for whatever that's worth) decided that applying the hpn-ssh patches by default was a good idea starting in FreeBSD 9.0. -r [*] My quick and dirty "Match" implementation when I discovered this was: Match Address 192.0.2.0/24 MaxAuthTries 6 Match Address 198.51.100.38 MaxAuthTries 6 Match Address 0.0.0.0/0 MaxAuthTries 0 ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
