Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd

From: Michael Butler <imb_at_protected-networks.net>
Date: Sat, 22 Feb 2020 11:21:47 -0500
On 2/21/20 11:49 AM, Ed Maste wrote:
> It seems starting sshd from inetd via tcpd is a reasonable approach
> for folks who want to use it; also, have folks using libwrap looked at
> sshd's Match blocks to see if they provide the desired functionality?

While match blocks can disallow a login from anything other than an
approved source address, they apparently permit the configured number of
failed attempts before throwing the prospective intruder out. With the
wrappers, it's an immediate disconnect.

They also have no mechanism to recognize a DNS mismatch (forward versus
reverse map).

	imb
Received on Sat Feb 22 2020 - 15:21:57 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:23 UTC