[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian openssh option review: considering splitting out GSS-API key exchange

On Tue, Apr 02, 2024 at 12:04:26PM +0200, Marco d'Itri wrote:
> On Apr 02, Colin Watson <cjwatson@debian.org> wrote:
> > At the time, denyhosts was popular, but it was removed from Debian
> > several years ago.  I remember that, when I dealt with that on my own
> > systems, fail2ban seemed like the obvious replacement, and my impression
> > is that it's pretty widely used nowadays; it's very pluggable but it
> > normally works by adding firewall rules.  Are there any similar popular
> > systems left that rely on editing /etc/hosts.deny?
> 
> Yes, people. I object to removing TCP wrappers support since the patch 
> is tiny and it supports use cases like DNS-based ACLs which cannot be 
> supported by L3 firewalls.

It's not about the size of the patch.

You could use a drop-in unit to wrap sshd in tcpd, as suggested by the
Fedora wiki page?  This would avoid exposing sshd's process space to
libwrap and all the stuff it links to by default.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]
Reply to: