òÉÈÁÄ çÁÄÖÉÅ× wrote:

A comment in /etc/hosts.allow states that:
Wrapping sshd(8) is not normally a good idea

Why? Is it because such restrictions should naturally be made using a 
firewall/PAM/sshd itself/whatever? I think GENERIC sshd wouldn't have been 
built with libwrap support in the first place. Or?
I can't answer the question as such, but on a low-ssh-usage box I do use /etc/hosts.allow for sshd and it works just fine(**). The original author unfortunately left out the half of the statement that explained their reasoning. Perhaps it's just to do with trying to maintain large(*) lists of hosts, which IIRC, hosts.allow is not overly efficient for.


(*) large probably means hundreds. IIRC the relevant library will just scan down the list of hosts/addresses and compare each, rather than trying anything clever with a db file or whatever.

(**) And I block access in the firewall. Security in depth - if I bugger up one level, the other level still holds.

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to