Re: Debian openssh option review: considering splitting out GSS-API key exchange
On Tue, Apr 2, 2024, at 07:04, Marco d'Itri wrote:
> On Apr 02, Colin Watson <cjwatson@debian.org> wrote:
>
>> At the time, denyhosts was popular, but it was removed from Debian
>> several years ago. I remember that, when I dealt with that on my own
>> systems, fail2ban seemed like the obvious replacement, and my impression
>> is that it's pretty widely used nowadays; it's very pluggable but it
>> normally works by adding firewall rules. Are there any similar popular
>> systems left that rely on editing /etc/hosts.deny?
> Yes, people. I object to removing TCP wrappers support since the patch
> is tiny and it supports use cases like DNS-based ACLs which cannot be
> supported by L3 firewalls.
If libwrap is bringing in complex libs, maybe we could reduce the attack surface on libwrap itself? It would be nice to have a variant that only links to the libc and that's it...
And that benefits everything that links to TCP wrappers...
I also like to have the (old-school) standard extra layer of protection that libwrap can provide. I'd like to find a way to keep it useful for sshd.
--
Henrique de Moraes Holschuh <hmh@debian.org>
Reply to: