9th November 2011
|
|
More noise than signal
|
|
Join Date: May 2008
Location: USA
Posts: 7,983
|
|
My opion, FWIW:
- You may have indeed found a bug, as the documented process is:
Quote:
Originally Posted by hosts_access(5)
The access control software consults two files. The search stops at the
first match:
o Access will be granted when a (daemon,client) pair matches an entry
in the /etc/hosts.allow file.
o Otherwise, access will be denied when a (daemon,client) pair matches
an entry in the /etc/hosts.deny file.
o Otherwise, access will be granted.
A non-existing access control file is treated as if it were an empty
file. Thus, access control can be turned off by providing no access
control files.
|
You may wish to report it to the project. Use the bugs@ mailing list; the PR database is no longer operational. See http://www.openbsd.org/mail.html and http://www.openbsd.org/report.html for guidance.
- You should be able to circumvent this by using EXCEPT in your hosts.deny file. See the EXAMPLES section of the man page.
- SSH has a myriad of choices for managing both authentication and authorization, which can completely replace hosts_access(5) and tcpd(8).
SSH is designed for use on untrusted networks, including the Internet. You may notice that hosts_access(5) and related man pages are not mentioned in any of the SSH man pages. Generally, tcpd is not used with SSH.
It is a common best practice for admins to disallow password authentication and use better alternatives such as public key authentication or s/key one-time-pads for SSH services.
|