This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: New tcp_wrappers package?

From: Charles Wilson <cygwin at cwilson dot fastmail dot fm>
To: Cygwin Mailing List <cygwin at cygwin dot com>
Date: Mon, 19 Apr 2010 18:34:24 -0400
Subject: Re: New tcp_wrappers package?
References: <20100419134923.GP8556@calimero.vinschen.de>

On 4/19/2010 9:49 AM, Corinna Vinschen wrote:
> any chance we can get a new tcp_wrappers package?  The fact that the
> host.allow file disables sshd access by default due to the rule order
> in that file is a bit unnerving when trying to debug connection
> problems.

Err...well, as discussed here:

<time passes>

Hey, waitaminute.  I posted a response to this
http://cygwin.com/ml/cygwin/2010-04/msg00052.html
but it's not in the archive.

<time passes>

Oops.  It never got sent "out", it only got Bcc:'ed back to me.
So, as I *intended* to discuss, in reference to the above thread:

> The /etc/hosts.allow shipped by -21 does not differ (in this
> respect) from the one shipped by -20 for the last year, nor from the one
> shipped by -5 since 27 Apr 2008.
> 
> The solution to a failure due to PARANOID is not to remove it or
> otherwise bypass it -- but to fix your local DNS.  If you can't do that,
> THEN you can disable the PARANOID check, but just for your broken lan.
> It's not a reason to suggest disabling the PARANOID check for everyone
> by default.
> 
> Take a look at /var/log/messages, and see what tcpd is reporting there.

So, in light of that, Corinna, I'm surprised that you're having trouble
-- especially since the distributed hosts.allow hasn't changed in almost
two years.  Has something broken your local DNS, or is there some other
cause?

Further, IF the problem is strictly reverse-DNS-related, are you
suggesting that we should, by default, allow all connections to sshd
without checking for DNS spoofing, because that is "easier" for many
people -- regardless of the security implications?

(Granted, DNS name resolution "paranoia" doesn't actually add all that
much security, but...every little bit helps encourage the bad guys to go
pick a different target [*])

[*] the old joke about "I don't need to outrun the bear; I just need to
outrun the other runners..."

--
Chuck




--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Follow-Ups:
- Re: New tcp_wrappers package?
  - From: Corinna Vinschen

References:
- New tcp_wrappers package?
  - From: Corinna Vinschen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]