On Mon, 6 Jan 2025, Brian Buhrow wrote:
Under NetBSD-10.99.12 (sources as of November 21, 2024), sshd(8) appears not to be consulting the /etc/hosts.allow and /etc/hosts.deny files when deciding whether to offer a banner to incoming connections. A check with ldd against /usr/sbin/sshd and /usr/lib/libssh.so.48.0 shows that libwrap.so isn't needed by either of these files. Is this an intentional change and, if it is, where can I find it documented?
This looks like a merge mishap. OpenSSH 9.8 split sshd into 2 processes: a listener and a per-session binary, and a lot of code was changed then. I think only the 1st bit of the local tcp_wrapper changes were applied. The 2nd bit should be like this (as it is in 10.1_STABLE): https://github.com/NetBSD/src/blob/netbsd-10/crypto/external/bsd/openssh/dist/sshd.c#L2123 Looks easy enough to apply. Haven't read through the code to see if it both sshd.c and sshd-session.c will need it, or only one of them. -RVP