From owner-freebsd-questions@FreeBSD.ORG Wed Oct 25 19:23:40 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DBD816A416 for ; Wed, 25 Oct 2006 19:23:40 +0000 (UTC) (envelope-from doug@fledge.watson.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31B5743D55 for ; Wed, 25 Oct 2006 19:23:38 +0000 (GMT) (envelope-from doug@fledge.watson.org) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.13.8/8.13.8) with ESMTP id k9PJNNP0072584; Wed, 25 Oct 2006 15:23:23 -0400 (EDT) (envelope-from doug@fledge.watson.org) Received: from localhost (doug@localhost) by fledge.watson.org (8.13.8/8.13.8/Submit) with ESMTP id k9PJNM5H072576; Wed, 25 Oct 2006 20:23:22 +0100 (BST) (envelope-from doug@fledge.watson.org) Date: Wed, 25 Oct 2006 20:23:22 +0100 (BST) From: doug To: Eric Schuele In-Reply-To: <453FB3D3.4030308@computer.org> Message-ID: <20061025200830.K91833@fledge.watson.org> References: <25EF2257D42835E7C800F7AB@utd59514.utdallas.edu> <453FB3D3.4030308@computer.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: rihad@mail.ru, freebsd-questions@freebsd.org Subject: Re: tcpwrappers & SSH X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: doug@safeport.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2006 19:23:40 -0000 On Wed, 25 Oct 2006, Eric Schuele wrote: > On 10/25/06 09:56, Paul Schmehl wrote: >> --On Wednesday, October 25, 2006 12:08:26 +0400 ????? ??????? >> wrote: >> >>> A comment in /etc/hosts.allow states that: >>> Wrapping sshd(8) is not normally a good idea >>> >>> Why? Is it because such restrictions should naturally be made using a >>> firewall/PAM/sshd itself/whatever? I think GENERIC sshd wouldn't have >>> been built with libwrap support in the first place. Or? >>> >> Because maintaining the access list can be quite ponderous if you have a >> lot of users. >> >> I maintain a hobby website that only has two shell accounts. I use >> hosts.allow for ssh because it gets rid of the brute-force crap. But even >> for two users, the list of hosts/networks that are allowed is 10 or 15. >> Imagine what it would be if you have a hundred users...or a thousand. > > Viewed from a slightly different angle... > > If you are responsible for maintaining machine xyz, and you have used > tcpwrappers... chances are you'll eventually need access to that machine from > a location you did not previously expect. Maybe your sitting in the airport > and get a call that the machine is malfunctioning. Maybe you are on call at > a social gathering. In any case, you'll need access and if it is using > tcpwrappers, you may not gain access. > > IMHO, other than the problem with needing "emergency" access, I think > tcpwrappers is a good thing. I use then on my laptop for example. As Paul > mentions, it gets rid of the constant hammering you would normally be subject > to, and I can still access it from the office or home. > This could be easily done in sshd_config if the order of processing the AllowUsers and DenyUsers directivies was optional. It is not DenyUsers takes precedent over AllowUsers. This effective eliminates denying access using a pattern. It looks pretty easy to just switch this in the code, but the "right" way to do it would be to add an apache-like directive order, e.g. "order deny,allow". Perhaps there is something in the protocols that would disallow this function.