Maybe it's time to get rid of tcpwrappers/tcpd?
Florian Weimer
fw at deneb.enyo.de
Thu Mar 20 19:36:34 UTC 2014
* Lennart Poettering:
>> From my POV, it is kind of neat that you can grant access to *.enyo.de
>> and deny every thing else.
>
> Binding access control to DNS sounds insecure like hell..
Additional restrictions are fine, for this purpose:
>> This is quite helpful against scanners and worms,
(And with DNSSEC, it wouldn't be so insecure anymore, you don't even
need a secured reverse tree before it can be effective.)
> OpenSSH can do this on its own without involving tcpwrap:
>
> https://raymii.org/s/tutorials/Limit_access_to_openssh_features_with_the_Match_keyword.html
>
> It sounds like a much better choice to stick to that instead of
> involving tcpwrap, and we should push our users to understand that...
The nice thing about tcpwrappers is that it runs extremely early,
typically before any application code is exposed. Something in the
guts of OpenSSH really isn't comparable. It's not immediately obvious
how you'd block logins altogether.
More information about the devel
mailing list