On Sep 15, 2015, at 4:29 PM, Alex Wilson <[email protected]> wrote:
>> Robert Seastrom <[email protected]> wrote: >> >> Speaking of which, a heads-up to people who might be using tcpwrappers (as >> I have been literally forever) - OpenSSH got rid of support for them about >> a year ago in 6.7. > > Right. One of the things I haven't copied from the Oracle work was putting > tcpwrappers back in. I am still considering whether it might be worth > bringing this back for us for a little while give people time to transition. > The release is Thursday, so there's some time to discuss this still. My $0.02 - I consider this a wobbler. If it weren't for the relatively short notice that we're getting rid of it, I wouldn't particularly support putting it back in, but the OpenSSH guys have good reasons for getting rid of it. Given that the consequences could be fairly severe if people are counting on hosts.allow/deny to save them from "the Internet", if you put it back as a migration strategy it might be worthwhile for sshd to complain on interactive logins, system logs, and anywhere else that it might be noticed if it finds non-default hosts.allow and hosts.deny files. You've been able to implement the functionality via "Match" for literally years... >> Since we're on the subject of refinements to ssh, it would sure be nice >> (once the patches are brought forward to 7.x) if the hpn-ssh patches were >> applied to the default sshd/ssh here. > > The NetBSD guys have already ported the HPN patch set forwards onto 7.1, > which I did have a trial run with and it seems like they apply and work. > They have made merge mistakes in the past though when forward-porting the > HPN set, and I haven't yet had time to sit down and audit the diff carefully > enough to be satisfied with it. > > I'd consider bringing this in later, perhaps plus/minus consideration for > the fact that it introduces new configuration options. If we add it we will > need to retain config compatibility for those options for a very long time > (especially if they appear in the default config, eg HpnDisabled), which is > worth careful thought. That is splendid news. I do understand the default config problem though. Once you're committed, you're committed. Having sshd go into maintenance mode could be awfully inconvenient. I trust we'll be seeing these changes in SmartMachine images in the not too distant future? Thanks, -r ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
