Date: Wed, 25 Oct 2006 14:13:05 +0100 From: Alex Zbyslaw <xfb52@dial.pipex.com> To: =?UTF-8?B?0KDQuNGF0LDQtCDQk9Cw0LTQttC40LXQsg==?= <rihad@mail.ru> Cc: freebsd-questions@freebsd.org Subject: Re: tcpwrappers & SSH Message-ID: <453F62E1.5090506@dial.pipex.com> In-Reply-To: <E1GcdoI-000MsQ-00.rihad-mail-ru@f48.mail.ru> References: <E1GcdoI-000MsQ-00.rihad-mail-ru@f48.mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
=C3=B2=C3=89=C3=88=C3=81=C3=84 =C3=A7=C3=81=C3=84=C3=96=C3=89=C3=85=C3=97= wrote: >A comment in /etc/hosts.allow states that: >Wrapping sshd(8) is not normally a good idea > >Why? Is it because such restrictions should naturally be made using a fi= rewall/PAM/sshd itself/whatever? I think GENERIC sshd wouldn't have been = built with libwrap support in the first place. Or? > =20 > I can't answer the question as such, but on a low-ssh-usage box I do use = /etc/hosts.allow for sshd and it works just fine(**). The original=20 author unfortunately left out the half of the statement that explained=20 their reasoning. Perhaps it's just to do with trying to maintain=20 large(*) lists of hosts, which IIRC, hosts.allow is not overly efficient = for. --Alex (*) large probably means hundreds. IIRC the relevant library will just=20 scan down the list of hosts/addresses and compare each, rather than=20 trying anything clever with a db file or whatever. (**) And I block access in the firewall. Security in depth - if I=20 bugger up one level, the other level still holds.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?453F62E1.5090506>