Early heads-up: plan to remove local patches for TCP Wrappers support in sshd
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Sat Feb 15 10:03:32 UTC 2020
On 14 Feb 2020, at 18:18, Ed Maste wrote:
Hi Ed,
> Although the specific deprecation steps aren't yet fleshed out I'm
> sending this as an early notice that I plan to disable libwrap support
> from the base system sshd and that FreeBSD 13 will not support it.
I’ll be sad to run inetd again on systems so that I can run a wrapped
sshd.
Like others I feel that adding firewalls to a machine simply to filter
sshd is not an option and whatever else openssh itself has offered in
the past never sufficed.
I am also worried that the change will make a lot of machines
unprotected upon updating to 13 if there is no big red warning flag
before the install.
I do understand the burden of maintaining a local patch (we lost the HA
patches from base this way already).
Given the port already does maintain the patch I am wondering what
“security guarantees” we provide for the port compared to the base
system (ignoring possible security updates) or why the patch cannot be
included in base? Compared to the HA patch, this one seems to be
sillily small..
/bz
More information about the freebsd-current
mailing list