Re: Debian openssh option review: considering splitting out GSS-API key exchange
On Tue, 2 Apr 2024 01:30:10 +0100, Colin Watson <cjwatson@debian.org>
wrote:
>We carry a patch to restore support for TCP wrappers, which was dropped
>in OpenSSH 6.7 (October 2014); see
>https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
>and thread. That wasn't long before the Debian 8 (jessie) freeze, and
>so I patched it back in "temporarily", but then I dropped the ball on
>organizing a proper transition.
Please don't drop the mechanism that saved my¹ unstable installations
from being vulnerable to the current xz-based attack. Just having to
dump an ALL: ALL into /etc/hosts.deny is vastly easier than having to
maintain a packet filter.
Greetings
Marc
¹ and probably thousands others
--
----------------------------------------------------------------------------
Marc Haber | " Questions are the | Mailadresse im Header
Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402
Reply to: