X-Recipient:	archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status:	No, hits=-2.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,RCVD_IN_DNSWL_LOW
X-Spam-Check-By:	sourceware.org
Message-ID:	<4BCCDA70.8080500@cwilson.fastmail.fm>
Date:	Mon, 19 Apr 2010 18:34:24 -0400
From:	Charles Wilson <cygwin AT cwilson DOT fastmail DOT fm>
User-Agent:	Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.23) Gecko/20090812 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666
MIME-Version:	1.0
To:	Cygwin Mailing List <cygwin AT cygwin DOT com>
Subject:	Re: New tcp_wrappers package?
References:	<20100419134923 DOT GP8556 AT calimero DOT vinschen DOT de>
In-Reply-To:	<20100419134923.GP8556@calimero.vinschen.de>
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com

On 4/19/2010 9:49 AM, Corinna Vinschen wrote:
> any chance we can get a new tcp_wrappers package?  The fact that the
> host.allow file disables sshd access by default due to the rule order
> in that file is a bit unnerving when trying to debug connection
> problems.

Err...well, as discussed here:

<time passes>

Hey, waitaminute.  I posted a response to this
http://cygwin.com/ml/cygwin/2010-04/msg00052.html
but it's not in the archive.

<time passes>

Oops.  It never got sent "out", it only got Bcc:'ed back to me.
So, as I *intended* to discuss, in reference to the above thread:

> The /etc/hosts.allow shipped by -21 does not differ (in this
> respect) from the one shipped by -20 for the last year, nor from the one
> shipped by -5 since 27 Apr 2008.
> 
> The solution to a failure due to PARANOID is not to remove it or
> otherwise bypass it -- but to fix your local DNS.  If you can't do that,
> THEN you can disable the PARANOID check, but just for your broken lan.
> It's not a reason to suggest disabling the PARANOID check for everyone
> by default.
> 
> Take a look at /var/log/messages, and see what tcpd is reporting there.

So, in light of that, Corinna, I'm surprised that you're having trouble
-- especially since the distributed hosts.allow hasn't changed in almost
two years.  Has something broken your local DNS, or is there some other
cause?

Further, IF the problem is strictly reverse-DNS-related, are you
suggesting that we should, by default, allow all connections to sshd
without checking for DNS spoofing, because that is "easier" for many
people -- regardless of the security implications?

(Granted, DNS name resolution "paranoia" doesn't actually add all that
much security, but...every little bit helps encourage the bad guys to go
pick a different target [*])

[*] the old joke about "I don't need to outrun the bear; I just need to
outrun the other runners..."

--
Chuck




--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -