HEADSUP: OpenSSH 6.7 drops tcpwrapper support

HEADSUP: OpenSSH 6.7 drops tcpwrapper support

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 840 bytes --]

Hi folks,

Just a HEADSUP to all of you actively using the tcp_wrappers/libwrap
functionality in sshd:

Starting with the next OpenSSH version 6.7, which will be released soon,
upstream removed support for tcp_wrappers/libwrap from the sources.

While that's bad from a compatibility point of view, the upstream
developers are adamant about this change for security reasons.

So, if you configured /etc/hosts.allow and/or /etc/hosts.deny files in
your Cygwin installation to block certain connections to your sshd
service, you will have to find other means to do that ASAP:

- Utilize the sshd_config Match rule.

- Utilize your firewall.


Hope that helps,
Corinna


-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: HEADSUP: OpenSSH 6.7 drops tcpwrapper support

[D. Boland]

Hi Corinna,

Corinna Vinschen wrote:
> 
> Hi folks,
> 
> Just a HEADSUP to all of you actively using the tcp_wrappers/libwrap
> functionality in sshd:
> 
> Starting with the next OpenSSH version 6.7, which will be released soon,
> upstream removed support for tcp_wrappers/libwrap from the sources.
> 
> While that's bad from a compatibility point of view, the upstream
> developers are adamant about this change for security reasons.

Can you point me to any documentation about this?

Daniel


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: HEADSUP: OpenSSH 6.7 drops tcpwrapper support

[Andrey Repin]

Greetings, Corinna Vinschen!

> Starting with the next OpenSSH version 6.7, which will be released soon,
> upstream removed support for tcp_wrappers/libwrap from the sources.

> While that's bad from a compatibility point of view, the upstream
> developers are adamant about this change for security reasons.

> So, if you configured /etc/hosts.allow and/or /etc/hosts.deny files in
> your Cygwin installation to block certain connections to your sshd
> service, you will have to find other means to do that ASAP:

> - Utilize the sshd_config Match rule.

> - Utilize your firewall.

Am I correct that this will only affect SSHD access control mechanics?
Not the socket redirection?


--
WBR,
Andrey Repin (anrdaemon@yandex.ru) 19.08.2014, <23:03>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: HEADSUP: OpenSSH 6.7 drops tcpwrapper support

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 942 bytes --]

On Aug 19 20:28, D. Boland wrote:
> Hi Corinna,
> 
> Corinna Vinschen wrote:
> > 
> > Hi folks,
> > 
> > Just a HEADSUP to all of you actively using the tcp_wrappers/libwrap
> > functionality in sshd:
> > 
> > Starting with the next OpenSSH version 6.7, which will be released soon,
> > upstream removed support for tcp_wrappers/libwrap from the sources.
> > 
> > While that's bad from a compatibility point of view, the upstream
> > developers are adamant about this change for security reasons.
> 
> Can you point me to any documentation about this?

No, sorry.  It has been discussed briefly on the openssh-unix-dev
developer list and it was referred to as old, unmaintained, dangerous
code which calls setjmp pretty much first thing in the library code.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]