Date: Wed, 25 Oct 2006 14:35:29 -0500 From: Eric Schuele <e.schuele@computer.org> To: Paul Schmehl <pauls@utdallas.edu> Cc: freebsd-questions@freebsd.org Subject: Re: tcpwrappers & SSH Message-ID: <453FBC81.7000903@computer.org> In-Reply-To: <12CC13AA49D069C7FAD7B7B2@utd59514.utdallas.edu> References: <E1GcdoI-000MsQ-00.rihad-mail-ru@f48.mail.ru> <25EF2257D42835E7C800F7AB@utd59514.utdallas.edu> <453FB3D3.4030308@computer.org> <12CC13AA49D069C7FAD7B7B2@utd59514.utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/25/2006 14:13, Paul Schmehl wrote: > --On Wednesday, October 25, 2006 13:58:27 -0500 Eric Schuele > <e.schuele@computer.org> wrote: >> >> Viewed from a slightly different angle... >> >> If you are responsible for maintaining machine xyz, and you have used >> tcpwrappers... chances are you'll eventually need access to that machine >> from a location you did not previously expect. Maybe your sitting in the >> airport and get a call that the machine is malfunctioning. Maybe you are >> on call at a social gathering. In any case, you'll need access and if it >> is using tcpwrappers, you may not gain access. >> > This is *definitely* something that you need to think through. I have > two machines at work that are always on, so I can always ssh to them > first, then to the server and edit the /etc/hosts.allow file to give > myself temporary access, if needed. In general, I prefer to go through > those hosts, rather than open another avenue that I may later forget to > remove. Since everything I do on those servers (almost) is through ssh, > it's not a problem for me to need an extra "hop" before I get to the box. I'm confused. I was agreeing with you. I was simply adding another reason as to why the author of the "Wrapping sshd(8) is not normally a good idea" comment might have made the comment. Are you saying that my comment above is incorrect? Or that there is a suitable workaround for the problem in my example scenario? I also agree that using a jump box to gain access to the machine in question would work. I think I've somehow missed your point. Please explain. > > Paul Schmehl (pauls@utdallas.edu) > Senior Information Security Analyst > The University of Texas at Dallas > http://www.utdallas.edu/ir/security/ -- Regards, Eric
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?453FBC81.7000903>