This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: New tcp_wrappers package?

On 4/19/2010 9:49 AM, Corinna Vinschen wrote:
> any chance we can get a new tcp_wrappers package?  The fact that the
> host.allow file disables sshd access by default due to the rule order
> in that file is a bit unnerving when trying to debug connection
> problems.

Err...well, as discussed here:

<time passes>

Hey, waitaminute.  I posted a response to this
but it's not in the archive.

<time passes>

Oops.  It never got sent "out", it only got Bcc:'ed back to me.
So, as I *intended* to discuss, in reference to the above thread:

> The /etc/hosts.allow shipped by -21 does not differ (in this
> respect) from the one shipped by -20 for the last year, nor from the one
> shipped by -5 since 27 Apr 2008.
> The solution to a failure due to PARANOID is not to remove it or
> otherwise bypass it -- but to fix your local DNS.  If you can't do that,
> THEN you can disable the PARANOID check, but just for your broken lan.
> It's not a reason to suggest disabling the PARANOID check for everyone
> by default.
> Take a look at /var/log/messages, and see what tcpd is reporting there.

So, in light of that, Corinna, I'm surprised that you're having trouble
-- especially since the distributed hosts.allow hasn't changed in almost
two years.  Has something broken your local DNS, or is there some other

Further, IF the problem is strictly reverse-DNS-related, are you
suggesting that we should, by default, allow all connections to sshd
without checking for DNS spoofing, because that is "easier" for many
people -- regardless of the security implications?

(Granted, DNS name resolution "paranoia" doesn't actually add all that
much security, but...every little bit helps encourage the bad guys to go
pick a different target [*])

[*] the old joke about "I don't need to outrun the bear; I just need to
outrun the other runners..."


Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]