Fedora tcp_wrappers (missing) support for custom acl scripts, aclexec
Pasi Kärkkäinen
pasik at iki.fi
Fri Jan 9 23:00:54 UTC 2015
On Sat, Jan 10, 2015 at 12:57:22AM +0200, Pasi Kärkkäinen wrote:
> On Fri, Jan 09, 2015 at 11:47:52PM +0100, Michael Stahl wrote:
> > On 09.01.2015 23:16, Pasi Kärkkäinen wrote:
> > > Hello,
> > >
> > > I recently noticed Debian/Ubuntu has had support for "aclexec" in tcp_wrappers via a custom patch since 2006,
> > > so you can do this in /etc/hosts.allow or hosts.deny:
> > >
> > > sshd: ALL: aclexec /usr/local/bin/sshfilter.sh %a
> > >
> > > if sshfilter.sh returns true the access is allowed, if sshfilter.sh returns false the access is denied.
> > > Very handy for integrating DNS RBLs and other IP databases etc.
> > >
> > > What do people feel about that? I'd like to see support for aclexec included in Fedora's tcp_wrappers package.
> >
> > seems a bit pointless to add this now considering this bit from the
> > OpenSSH 6.7 release notes:
> >
> > http://lwn.net/Articles/615173/
> >
> > * sshd(8): Support for tcpwrappers/libwrap has been removed.
> >
>
> Right.. I wasn't aware of that. Why on earth did they remove tcpwrappers support :(
> Do you know what was the reasoning behind that?
>
> Then again tcpwrappers "aclexec" can be used for other services aswell, not just openssh..
>
It seems that at least Debian has added tcpwrappers support back to their version of Openssh 6.7:
https://launchpad.net/debian/+source/openssh/1:6.7p1-1
"* Restore TCP wrappers support, removed upstream in 6.7. It is true that
dropping this reduces preauth attack surface in sshd. On the other
hand, this support seems to be quite widely used, and abruptly dropping
it (from the perspective of users who don't read openssh-unix-dev) could
easily cause more serious problems in practice. It's not entirely clear
what the right long-term answer for Debian is, but it at least probably
doesn't involve dropping this feature shortly before a freeze."
-- Pasi
More information about the devel
mailing list