Maybe it's time to get rid of tcpwrappers/tcpd?

[Lennart Poettering]

On Thu, 20.03.14 20:36, Florian Weimer (fw at deneb.enyo.de) wrote:

> > OpenSSH can do this on its own without involving tcpwrap:
> >
> > https://raymii.org/s/tutorials/Limit_access_to_openssh_features_with_the_Match_keyword.html
> >
> > It sounds like a much better choice to stick to that instead of
> > involving tcpwrap, and we should push our users to understand that...
> 
> The nice thing about tcpwrappers is that it runs extremely early,
> typically before any application code is exposed.  Something in the
> guts of OpenSSH really isn't comparable.  It's not immediately obvious
> how you'd block logins altogether.

Well, the thing though is that the OpenSSH code is not as bad as
tcpwrap. I'd much rather have OpenSSH handle this than tcpwrap...

And if it's not "immediately obvious", then we can certainly fix that
with adding more docs, or explaining this in the release notes?

Lennart

-- 
Lennart Poettering, Red Hat