[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-devel
Subject: Re: Debian openssh option review: considering splitting out GSS-API key exchange
From: "Henrique de Moraes Holschuh" <hmh () debian ! org>
Date: 2024-04-04 21:42:08
Message-ID: 6e7e7787-f3f2-4d22-b4a3-c5bb86df5bb6 () app ! fastmail ! com
[Download RAW message or body]
On Tue, Apr 2, 2024, at 07:04, Marco d'Itri wrote:
> On Apr 02, Colin Watson <cjwatson@debian.org> wrote:
>
> > At the time, denyhosts was popular, but it was removed from Debian
> > several years ago. I remember that, when I dealt with that on my own
> > systems, fail2ban seemed like the obvious replacement, and my impression
> > is that it's pretty widely used nowadays; it's very pluggable but it
> > normally works by adding firewall rules. Are there any similar popular
> > systems left that rely on editing /etc/hosts.deny?
> Yes, people. I object to removing TCP wrappers support since the patch
> is tiny and it supports use cases like DNS-based ACLs which cannot be
> supported by L3 firewalls.
If libwrap is bringing in complex libs, maybe we could reduce the attack surface on \
libwrap itself? It would be nice to have a variant that only links to the libc and \
that's it...
And that benefits everything that links to TCP wrappers...
I also like to have the (old-school) standard extra layer of protection that libwrap \
can provide. I'd like to find a way to keep it useful for sshd.
--
Henrique de Moraes Holschuh <hmh@debian.org>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic