On Sep 16, 2015, at 11:40 PM, Alex Wilson <[email protected]> wrote:
> Robert Seastrom <[email protected]> wrote: > >> My $0.02 - I consider this a wobbler. If it weren't for the relatively >> short notice that we're getting rid of it, I wouldn't particularly support >> putting it back in, but the OpenSSH guys have good reasons for getting rid >> of it. >> >> Given that the consequences could be fairly severe if people are counting >> on hosts.allow/deny to save them from "the Internet", if you put it back >> as a migration strategy it might be worthwhile for sshd to complain on >> interactive logins, system logs, and anywhere else that it might be >> noticed if it finds non-default hosts.allow and hosts.deny files. You’ve >> been able to implement the functionality via "Match" for literally >> years… > > Unfortunately the libwrap API doesn’t seem to provide a decent way to detect > this. Fair enough, but it's simple enough to iterate over the appropriate files (if they exist) looking for lines that begin with [Ss][Ss][Hh][Dd]: and squawk if any are found. I encourage this sort of behavior as an advance warning for a while if un-revert-patching it is in the offing. > For now I’ve just put in a revert patch that adds the support for > tcpwrappers back in as it was in older versions (no deprecation warning). > It’s a pretty short patch anyway, so carrying it around for an extended > period doesn’t seem like a huge technical risk. It should be in the release > that gets cut tomorrow. That sounds reasonable. Thanks! -r ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
