Inadequate replacement for tcpwrapper

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

openssh has gotten rid of tcpwrapper. The claim seems to be that Match
Address is an adequate replacement for hosts.allow  
In at least one are it is not. Hosts.allow reads the permissionf from
top to bottom, and the first line that matches is the operative line.
Thus one could have
sshd: :allow
sshd: :deny
and the first line would apply.  
However this does not seem to operate with the Match directive.  

Thus I try
Match Address
AllowUsers *
MaxAuthTries 3
Match Address
DenyUsers *
MaxAuthTries 0

While it would seem to allow logons-- it gives a Password prompt twice
(instead of automatically logging in since passwordless login is enabled
for that address to the system, as is shown if the last three lines are
eliminated) but does not recognize the password. Ie, sshd applies not
just the first Match Address but also, in some backassed way, the
This makes setting up an automatic banning of machines attempting rogue
attacks difficult, since sometimes I will forget the password for a
machine what is supposed to be able to log in (say In
hosts.allow  this is easy to do-- just have an :allow line occur before
any :deny line. But this appears to be impossible for the Match

Or do I not understand something, which is certainly also possible.  

Site Timeline