tcpwrappers & SSH

Eric Schuele e.schuele at
Wed Oct 25 19:35:41 UTC 2006

On 10/25/2006 14:13, Paul Schmehl wrote:
> --On Wednesday, October 25, 2006 13:58:27 -0500 Eric Schuele 
> <e.schuele at> wrote:
>> Viewed from a slightly different angle...
>> If you are responsible for maintaining machine xyz, and you have used
>> tcpwrappers... chances are you'll eventually need access to that machine
>> from a location you did not previously expect.  Maybe your sitting in the
>> airport and get a call that the machine is malfunctioning.  Maybe you are
>> on call at a social gathering.  In any case, you'll need access and if it
>> is using tcpwrappers, you may not gain access.
> This is *definitely* something that you need to think through.  I have 
> two machines at work that are always on, so I can always ssh to them 
> first, then to the server and edit the /etc/hosts.allow file to give 
> myself temporary access, if needed.  In general, I prefer to go through 
> those hosts, rather than open another avenue that I may later forget to 
> remove. Since everything I do on those servers (almost) is through ssh, 
> it's not a problem for me to need an extra "hop" before I get to the box.

I'm confused.  I was agreeing with you.  I was simply adding another 
reason as to why the author of the "Wrapping sshd(8) is not normally a 
good idea" comment might have made the comment.

Are you saying that my comment above is incorrect? Or that there is a 
suitable workaround for the problem in my example scenario?

I also agree that using a jump box to gain access to the machine in 
question would work.

I think I've somehow missed your point.  Please explain.

> Paul Schmehl (pauls at
> Senior Information Security Analyst
> The University of Texas at Dallas


More information about the freebsd-questions mailing list