On 4/19/2010 9:49 AM, Corinna Vinschen wrote: > any chance we can get a new tcp_wrappers package? The fact that the > host.allow file disables sshd access by default due to the rule order > in that file is a bit unnerving when trying to debug connection > problems.
Err...well, as discussed here: <time passes> Hey, waitaminute. I posted a response to this http://cygwin.com/ml/cygwin/2010-04/msg00052.html but it's not in the archive. <time passes> Oops. It never got sent "out", it only got Bcc:'ed back to me. So, as I *intended* to discuss, in reference to the above thread: > The /etc/hosts.allow shipped by -21 does not differ (in this > respect) from the one shipped by -20 for the last year, nor from the one > shipped by -5 since 27 Apr 2008. > > The solution to a failure due to PARANOID is not to remove it or > otherwise bypass it -- but to fix your local DNS. If you can't do that, > THEN you can disable the PARANOID check, but just for your broken lan. > It's not a reason to suggest disabling the PARANOID check for everyone > by default. > > Take a look at /var/log/messages, and see what tcpd is reporting there. So, in light of that, Corinna, I'm surprised that you're having trouble -- especially since the distributed hosts.allow hasn't changed in almost two years. Has something broken your local DNS, or is there some other cause? Further, IF the problem is strictly reverse-DNS-related, are you suggesting that we should, by default, allow all connections to sshd without checking for DNS spoofing, because that is "easier" for many people -- regardless of the security implications? (Granted, DNS name resolution "paranoia" doesn't actually add all that much security, but...every little bit helps encourage the bad guys to go pick a different target [*]) [*] the old joke about "I don't need to outrun the bear; I just need to outrun the other runners..." -- Chuck -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
