Due to a recent update on Javascript code a full page refresh on your browser might be needed.
Bug 1518785 - [F28 change] sslh should not require tcp_wrappers
Summary: [F28 change] sslh should not require tcp_wrappers
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: sslh
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: James Hogarth
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1495181 1596070
TreeView+ depends on / blocked
 
Reported: 2017-11-29 14:59 UTC by Jakub Jelen
Modified: 2018-06-28 08:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-01 10:56:21 UTC
Type: Bug


Attachments (Terms of Use)

Description Jakub Jelen 2017-11-29 14:59:15 UTC
As announced earlier this year, we plan to deprecate TCP wrappers out of Fedora services in a single release (Fedora 28) to avoid user confusion that some of the tools will be using it and some not.

For more information about the change or possible migration paths outside of the package itself, see the linked accepted Fedora 28 change.

This report is for a source package, that has "BuildRequires tcp_wrappers" in spec file and resulting packages depend on "libwrap.so.0". The changes to remove the dependency should be minimal, usually a configure switch, but let me know if you will need some assistance with the changes.

Additional info:

https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers

Comment 1 James Hogarth 2017-11-29 15:08:43 UTC
Thanks for the report, I'll adjust it tonight and carry out a fresh build in rawhide.

On a sidenote your change page has an example which does not follow best practice.

If you copy over the whole service file from /usr/lib/systemd/system to /etc/systemd/system then any bug fixes or new features added to the service file (security etc) will not be picked up.

The proper way is to do a systemd override ... in the case of your example just /etc/systemd/system/sshd@.service.d/tcp_override.conf

To override a ExecStart you need to do two lines:

ExecStart=
ExecStart=@-/usr/sbin/tcpd /usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY

The reason for this is that a single ExecStart will just be executed as if there were multiple lines, but doing the blank one first "resets" the behaviour.


Note You need to log in before you can comment on or make changes to this bug.