[OE-core] [PATCH] openssh: Restore TCP wrappers support --> remove tcp-wrappers in next release?
Mark Hatle
mark.hatle at windriver.com
Sat Jul 21 15:43:58 UTC 2018
On 7/20/18 2:59 PM, Randy MacLeod wrote:
>> +From 03cdbc92adf763f9ff5bb89f7820f9e1734f745b Mon Sep 17 00:00:00 2001
>> +From: Changqing Li <changqing.li at windriver.com>
>> +Date: Fri, 13 Jul 2018 12:16:18 +0800
>> +Subject: [PATCH] Restore TCP wrappers support
>> +
>> +Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
>> +and thread:
>> +
>> + https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
>> +
>> +It is true that this reduces preauth attack surface in sshd. On the
>> +other hand, this support seems to be quite widely used, and abruptly
>> +dropping it (from the perspective of users who don't read
>> +openssh-unix-dev) could easily cause more serious problems in practice.
>> +
>> +Upstream-Status: Inappropriate
>> +
>> +This patch was imported by wenzong firstly, the following sign is not
>> +the origin author, just adjust it to fit for new version of openssh.
>
> I suppose we can do this for one more release but
> we shouldn't carry tcp-wrappers support [1] forever without
> considering alternatives.
>
>
> FYI,
> Fedora has started a process to deprecate tcp-wrappers:
> https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers
While I agree with some of the above's points about tcp-wrappers, especially
regular Linux firewall support should be used by all devices. However
tcp-wrappers gives a standard mechanism for an allow/deny type behavior as a
fall back.
It's all about providing multiple levels of access limits, so if one version is
broken (bug or otherwise), another can help limit system exposure.
However, I do disagree that things would be better served using eBPF based
configurations (at this time).
> The first step is to require that individual services use the
> tcp-wrapper tcpd monitor. There is (of course!) a systemd solution:
> Add simple eBPF-based per-unit IP access lists and accounting
> https://github.com/systemd/systemd/pull/6764
> That went into v235, in October 2017.
Looking at security issues over the past few years, there are a ton of problems
with eBPF. It's horribly complex, and that complexity leads to implementation
issues. BPF actually 'compiles and executes' the code in the kernel. This has
lead to many folks being concerned it could be a vector for an attack. (Add to
that Spectre/Meltdown concerns with BPF 'programs', and it's a nightmare of a
solution for the average developer.)
> I'm not sure what plans Debian or other distros have.
If anything, this is a place where we definitely need to watch what others are
doing. I think Debian may provide a good view as to what we should be doing.
They seem to take a reasonably measured approach in their implementations of
this type of security. (While Fedora seems to be more concerned with systemd
integration and seeing what is new and then experimenting with it.
> Buildroot doesn't seem to support tcp-wrappers at all.
>
> If there are no objections to removing tcp-wrappers from oe-core
> in 2.7/2.8, I will open a YP Bugzilla enhancement next week.
I think as a community we need to watch and figure out when if and when it makes
sense to remove it. I agree, now is not the time -- but maybe in a year?
--Mark
> ../Randy
>
>
> [1] There are a number of packages that optionally depend
> on tcp-wrappers:
>
> oe-core:
> $ rgrep -il "PACKAGECONFIG\[tcp-wrappers\]" *
> meta/recipes-connectivity/nfs-utils/nfs-utils_2.3.1.bb
> meta/recipes-connectivity/socat/socat_1.7.3.2.bb
> meta/recipes-extended/quota/quota_4.04.bb
> meta/recipes-extended/xinetd/xinetd_2.3.15.bb
> meta/recipes-extended/rpcbind/rpcbind_0.2.4.bb
>
> meta-oe:
> $ rgrep -il "PACKAGECONFIG\[tcp-wrappers\]" *
> meta-networking/recipes-daemons/atftp/atftp_git.bb
> meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb
>
>
More information about the Openembedded-core
mailing list