From owner-freebsd-questions@FreeBSD.ORG Wed Oct 25 19:35:40 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0D6416A412 for ; Wed, 25 Oct 2006 19:35:40 +0000 (UTC) (envelope-from e.schuele@computer.org) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [216.148.227.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id A5C4743D45 for ; Wed, 25 Oct 2006 19:35:36 +0000 (GMT) (envelope-from e.schuele@computer.org) Received: from [208.206.151.59] (host59.gtisd.com?[208.206.151.59]) by comcast.net (rwcrmhc13) with ESMTP id <20061025193535m1300leceue>; Wed, 25 Oct 2006 19:35:35 +0000 Message-ID: <453FBC81.7000903@computer.org> Date: Wed, 25 Oct 2006 14:35:29 -0500 From: Eric Schuele User-Agent: Thunderbird 1.5.0.7 (X11/20061020) MIME-Version: 1.0 To: Paul Schmehl References: <25EF2257D42835E7C800F7AB@utd59514.utdallas.edu> <453FB3D3.4030308@computer.org> <12CC13AA49D069C7FAD7B7B2@utd59514.utdallas.edu> In-Reply-To: <12CC13AA49D069C7FAD7B7B2@utd59514.utdallas.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: tcpwrappers & SSH X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2006 19:35:41 -0000 On 10/25/2006 14:13, Paul Schmehl wrote: > --On Wednesday, October 25, 2006 13:58:27 -0500 Eric Schuele > wrote: >> >> Viewed from a slightly different angle... >> >> If you are responsible for maintaining machine xyz, and you have used >> tcpwrappers... chances are you'll eventually need access to that machine >> from a location you did not previously expect. Maybe your sitting in the >> airport and get a call that the machine is malfunctioning. Maybe you are >> on call at a social gathering. In any case, you'll need access and if it >> is using tcpwrappers, you may not gain access. >> > This is *definitely* something that you need to think through. I have > two machines at work that are always on, so I can always ssh to them > first, then to the server and edit the /etc/hosts.allow file to give > myself temporary access, if needed. In general, I prefer to go through > those hosts, rather than open another avenue that I may later forget to > remove. Since everything I do on those servers (almost) is through ssh, > it's not a problem for me to need an extra "hop" before I get to the box. I'm confused. I was agreeing with you. I was simply adding another reason as to why the author of the "Wrapping sshd(8) is not normally a good idea" comment might have made the comment. Are you saying that my comment above is incorrect? Or that there is a suitable workaround for the problem in my example scenario? I also agree that using a jump box to gain access to the machine in question would work. I think I've somehow missed your point. Please explain. > > Paul Schmehl (pauls@utdallas.edu) > Senior Information Security Analyst > The University of Texas at Dallas > http://www.utdallas.edu/ir/security/ -- Regards, Eric