tcpwrappers & SSH

[Alex Zbyslaw]

òÉÈÁÄ çÁÄÖÉÅ× wrote:

>A comment in /etc/hosts.allow states that:
>Wrapping sshd(8) is not normally a good idea
>
>Why? Is it because such restrictions should naturally be made using a firewall/PAM/sshd itself/whatever? I think GENERIC sshd wouldn't have been built with libwrap support in the first place. Or?
>  
>
I can't answer the question as such, but on a low-ssh-usage box I do use 
/etc/hosts.allow for sshd and it works just fine(**).  The original 
author unfortunately left out the half of the statement that explained 
their reasoning.  Perhaps it's just to do with trying to maintain 
large(*) lists of hosts, which IIRC, hosts.allow is not overly efficient 
for.

--Alex

(*) large probably means hundreds.  IIRC the relevant library will just 
scan down the list of hosts/addresses and compare each, rather than 
trying anything clever with a db file or whatever.

(**) And I block access in the firewall.  Security in depth - if I 
bugger up one level, the other level still holds.