View Single Post
  #4   (View Single Post)  
Old 9th November 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,044
Default

My opion, FWIW:
  1. You may have indeed found a bug, as the documented process is:
    Quote:
    Originally Posted by hosts_access(5)
    The access control software consults two files. The search stops at the
    first match:

    o Access will be granted when a (daemon,client) pair matches an entry
    in the /etc/hosts.allow file.

    o Otherwise, access will be denied when a (daemon,client) pair matches
    an entry in the /etc/hosts.deny file.

    o Otherwise, access will be granted.

    A non-existing access control file is treated as if it were an empty
    file. Thus, access control can be turned off by providing no access
    control files.
    You may wish to report it to the project. Use the bugs@ mailing list; the PR database is no longer operational. See http://www.openbsd.org/mail.html and http://www.openbsd.org/report.html for guidance.
  2. You should be able to circumvent this by using EXCEPT in your hosts.deny file. See the EXAMPLES section of the man page.
  3. SSH has a myriad of choices for managing both authentication and authorization, which can completely replace hosts_access(5) and tcpd(8).
SSH is designed for use on untrusted networks, including the Internet. You may notice that hosts_access(5) and related man pages are not mentioned in any of the SSH man pages. Generally, tcpd is not used with SSH.

It is a common best practice for admins to disallow password authentication and use better alternatives such as public key authentication or s/key one-time-pads for SSH services.

Reply With Quote