[LUAU] Excellent SSH advice

[Dwight Victor]

Yes, an interesting discussion.  Almost seems like we need to do an
empirical study.

Vince said:
> To get tcp-wrapper support for an application, you either add the
> checks directly to the application or run a process that has been
> compiled with libwrap to perform the host checks before handing
> off to the application.

Which seems to be exactly what I was saying.  If you have SSH compiled
(or built or whatever) with tcp_wrapper or libwrap support, then the
wrapper _should_ intercept the traffic to the listening port,
allow/deny, then pass control (if allowed) to the SSH daemon to
establish the connection.

Vince also says:
> I doubt you will find tcpd running on a default install of any
> current OS. And if you kill all your supersupers (inetd|xinetd)
> you should still find sshd running.

Right, I was using the tcpd manpage to illustrate what happens when
the wrapper takes effect.  Regardless, SSH w/libwrap support still
uses the /etc/hosts.allow and /etc/hosts.deny files...which were
described in the tcpd manpage.

Vince goes on to say:
> I could be wrong about a denied host being able to buffer
> overflow sshd, but if sshd is the one providing the tcp-wrapper
> support, I think the possibility is very real. Therefore, I tend
> to only use tcp-wrappers when firewalling is not an option.

Hmmm.  If the wrapper is first to receive data, and finds that the
attempt should be denied, whouldn't it drop the connection?  Why would
it pass the buffered information to the SSH daemon?  How can you
implement a buffer overflow on a dropped connection?  I think the
wrapper should work in a similar manner to iptables and drop all
subsequent data after determining that the attempt is denied.

Unfortunately I don't have a spare box that I could test this on. 
Maybe someone out there can run ethereal and capture some packets in a
test environment.

This is really making me curious.

Dwight...