tcpwrappers & SSH
xfb52 at dial.pipex.com
Wed Oct 25 13:13:28 UTC 2006
òÉÈÁÄ çÁÄÖÉÅ× wrote:
>A comment in /etc/hosts.allow states that:
>Wrapping sshd(8) is not normally a good idea
>Why? Is it because such restrictions should naturally be made using a firewall/PAM/sshd itself/whatever? I think GENERIC sshd wouldn't have been built with libwrap support in the first place. Or?
I can't answer the question as such, but on a low-ssh-usage box I do use
/etc/hosts.allow for sshd and it works just fine(**). The original
author unfortunately left out the half of the statement that explained
their reasoning. Perhaps it's just to do with trying to maintain
large(*) lists of hosts, which IIRC, hosts.allow is not overly efficient
(*) large probably means hundreds. IIRC the relevant library will just
scan down the list of hosts/addresses and compare each, rather than
trying anything clever with a db file or whatever.
(**) And I block access in the firewall. Security in depth - if I
bugger up one level, the other level still holds.
More information about the freebsd-questions