libwrap is going away, so can this.

ok tedu

23 files changed, 2 insertions, 3879 deletions

diff --git a/libexec/Makefile b/libexec/Makefile
index 65fcacf7b90..cd92fca2f17 100644
--- a/libexec/Makefile
+++ b/libexec/Makefile
@@ -1,5 +1,5 @@
 #	from: @(#)Makefile	5.7 (Berkeley) 4/1/91
-#	$OpenBSD: Makefile,v 1.56 2014/03/17 19:50:38 tedu Exp $
+#	$OpenBSD: Makefile,v 1.57 2014/03/24 13:55:59 deraadt Exp $
 
 .include <bsd.own.mk>
 
@@ -7,8 +7,7 @@ SUBDIR= comsat fingerd ftpd getty ld.so lockspool login_chpass \
 	login_lchpass login_passwd login_radius login_reject \
 	login_skey login_tis login_token login_yubikey mail.local \
 	makewhatis rpc.rquotad rpc.rstatd rpc.rusersd rpc.rwalld \
-	rshd security spamd spamd-setup spamlogd talkd \
-	tcpd
+	rshd security spamd spamd-setup spamlogd talkd
 
 .if (${YP:L} == "yes")
 SUBDIR+=rpc.yppasswdd
diff --git a/libexec/tcpd/BLURB b/libexec/tcpd/BLURB
deleted file mode 100644
index 8d82fa7826f..00000000000
--- a/libexec/tcpd/BLURB
+++ /dev/null
@@ -1,37 +0,0 @@
-$OpenBSD: BLURB,v 1.2 1997/06/01 05:21:39 downsj Exp $
-@(#) BLURB 1.28 97/03/21 19:27:18
-
-With this package you can monitor and filter incoming requests for the
-SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other
-network services.
-
-The package provides tiny daemon wrapper programs that can be installed
-without any changes to existing software or to existing configuration
-files.  The wrappers report the name of the client host and of the
-requested service; the wrappers do not exchange information with the
-client or server applications, and impose no overhead on the actual
-conversation between the client and server applications.
-
-This patch upgrades the tcp wrappers version 7.5 source code to
-version 7.6.  The source-routing protection in version 7.5 was not
-as strong as it could be. And all this effort was not needed with
-modern UNIX systems that can already stop source-routed traffic in
-the kernel. Examples are 4.4BSD derivatives, Solaris 2.x, and Linux.
-
-This release does not introduce new features. Do not bother applying
-this patch when you built your version 7.x tcp wrapper without
-enabling the KILL_IP_OPTIONS compiler switch; when you can disable
-IP source routing options in the kernel; when you run a UNIX version
-that pre-dates 4.4BSD, such as SunOS 4. Such systems are unable to
-receive source-routed connections and are therefore not vulnerable
-to IP spoofing attacks with source-routed TCP connections.
-
-A complete change log is given in the CHANGES document.  As always,
-problem reports and suggestions for improvement are welcome.
-
-	Wietse Venema (wietse@wzv.win.tue.nl),
-	Department of Mathematics and Computing Science,
-	Eindhoven University of Technology,
-	The Netherlands.
-
-	Currently visiting IBM T.J. Watson Research, Hawthorne NY, USA.
diff --git a/libexec/tcpd/CHANGES b/libexec/tcpd/CHANGES
deleted file mode 100644
index aa23b243f62..00000000000
--- a/libexec/tcpd/CHANGES
+++ /dev/null
@@ -1,453 +0,0 @@
-$OpenBSD: CHANGES,v 1.2 1997/06/01 05:21:39 downsj Exp $
-
-Request: after building the programs, please run the `tcpdchk' wrapper
-configuration checker. See the `tcpdchk.8' manual page (`nroff -man'
-format) for instructions. `tcpdchk' automatically identifies the most
-common configuration problems, and will save you and me a lot of time.
-
-Changes per release 7.6 (Mar 1997)
-==================================
-
-- Improved the anti source-routing protection. The code in version
-7.5 was not as strong as it could be, because I tried to be compatible
-with Linux. That was a mistake. Sorry for the inconvenience.
-
-- The program no longer terminates case of a source-routed connection,
-making the IP-spoofing code more usable for long-running daemons.
-
-- When syslogging DNS hostname problems, always stop after a limited
-number of characters.
-
-Changes per release 7.5 (Feb 1997)
-==================================
-
-- Optionally refuse source-routed TCP connections requests altogether.
-Credits to Niels Provos of Universitaet Hamburg.  File: fix_options.c.
-
-- Support for IRIX 6 (Lael Tucker).
-
-- Support for Amdahl UTS 2.1.5 (Richard E. Richmond).
-
-- Support for SINIX 5.42 (Klaus Nielsen).
-
-- SCO 5 now has vsyslog() (Bill Golden).
-
-- Hints and tips for dealing with IRIX inetd (Niko Makila, Aaron
-M Lee).
-
-- Support for BSD/OS (Paul Borman).
-
-- Support for Tandem (Emad Qawas).
-
-- Support for ISC (Frederick B. Cohen).
-
-- Workaround for UNICOS - it would choke on a setjmp() expression
-(Bruce Kelly). File: hosts_access.c, tcpdchk.c.
-
-- Increased the level of buffer overflow paranoia when printing
-unwanted IP options.  File: fix_options.c.
-
-Changes per release 7.4 (Mar 1996)
-==================================
-
-- IRIX 5.3 (and possibly, earlier releases, too) library routines call
-the non-reentrant strtok() routine. The result is that hosts may slip
-through allow/deny filters. Workaround is to not rely on the vendor's
-strtok() routine (#ifdef LIBC_CALLS_STRTOK). Credits to Th. Eifert
-(Aachen University) for spotting this one. This fix supersedes the
-earlier workaround for a similar problem in FreeBSD 2.0.
-
-Changes per release 7.3 (Feb 1996)
-==================================
-
-- More tests added to tcpdchk and tcpdmatch: make sure that the
-REAL_DAEMON_DIR actually is a directory and not a regular file;
-detect if tcpd recursively calls itself.
-
-- Edwin Kremer found an amusing fencepost error in the xgets()
-routine: lines longer than BUFLEN characters would be garbled.
-
-- The access control routines now refuse to execute "dangerous" actions
-such as `twist' when they are called from within a resident process.
-This prevents you from shooting yourself into the foot with critical
-systems programs such as, e.g., portmap or rpcbind.
-
-- Support for Unicos 8.x (Bruce Kelly). The program now closes the
-syslog client socket before running the real daemon: Cray UNICOS
-refuses to checkpoint processes with open network ports.
-
-- Support for MachTen UNIX (Albert M.C Tam).
-
-- Support for Interactive UNIX R3.2 V4.0 (Bobby D. Wright).
-
-- Support for SCO 3.2v5.0.0 OpenServer 5 (bob@odt.handy.com)
-
-- Support for Unixware 1.x and Unixware 2.x.  The old Unixware Makefile
-rule was broken. Sorry about that.
-
-- Some FreeBSD 2.0 libc routines call strtok() and severely mess up the
-allow/deny rule processing. This is very bad. Workaround:  call our own
-strtok() clone (#ifdef USE_STRSEP).
-
-- The programs now log a warning when they detect that a non-existent
-banner directory is specified.
-
-- The hosts_access.3 manual page used obsolete names for the RQ_*
-constants.
-
-Changes per release 7.2 (Jan 1995)
-==================================
-
-- Added a note to the README and manpages on using the IDENT service to
-detect sequence number spoofing and other host impersonation attacks.
-
-- Portability: ConvexOS puts RPC version numbers before the daemon path
-name (Jukka Ukkonen).
-
-- Portability: the AIX compiler disliked the strchr() declaration
-in socket.c.  I should have removed it when I included <string.h>.
-
-- Backwards compatibility: some people relied on the old leading dot or
-trailing dot magic in daemon process names.
-
-- Backwards compatibility: hostname lookup remains enabled when
--DPARANOID is turned off. In order to disable hostname lookups you
-must turn off -DALWAYS_HOSTNAME.
-
-- Eliminated false complaints from the tcpdmatch/tcpdchk configuration
-checking programs about process names not in inetd.conf or about KNOWN
-username patterns.
-
-Changes per release 7.1 (Jan 1995)
-==================================
-
-- Portability: HP-UX permits you to break inetd.conf entries with
-backslash-newline.
-
-- Portability: EP/IX has no putenv() and some inetd.conf entries are
-spread out over two lines.
-
-- Portability: SCO with NIS support has no *netgrent() routines.
-
-Changes per release 7.0 (Jan 1995) 
-==================================
-
-- Added a last-minute workaround for a Solaris 2.4 gethostbyname()
-foulup with multi-homed hosts in DNS through NIS mode.
-
-- Added a last-minute defense against TLI weirdness: address lookups
-apparently succeed but the result netbuf is empty (ticlts transport).
-
-- Dropped several new solutions that were in need of a problem. Beta
-testers may recognize what new features were kicked out during the last
-weeks before release 7.0 came out. Such is life.
-
-- Got rid of out the environment replacement routines, at least for
-most architectures. One should not have to replace working system
-software when all that is needed is a 4.4BSD setenv() emulator.
-
-- By popular request I have added an option to send banner messages to
-clients. There is a Banners.Makefile that gives some aid for sites that
-are going to use this feature. John C. Wingenbach did some pioneering
-work here. I used to think that banners are frivolous. Now that I had
-a personal need for them I know that banners can be useful.
-
-- At last: an extensible functional interface to the pattern matching
-engine. request_init() and request_set() accept a variable-length
-name-value argument list.  The result can be passed to hosts_access().
-
-- When PARANOID mode is disabled (compile time), the wrapper does no
-hostname lookup or hostname double checks unless required by %letter
-expansions, or by access control rules that match host names.  This is
-useful for sites that don't care about internet hostnames anyway.
-Inspired by the authors of the firewalls and internet security book.
-
-- When PARANOID mode is disabled (compile time), hosts with a name/name
-or name/address conflict can be matched with the PARANOID host wildcard
-pattern, so that you can take some intelligent action instead of just
-dropping clients. Like showing a banner that explains the problem.
-
-- New percent escapes: %A expands to the server address; %H expands to
-the corresponding hostname (or address if no name is available); %n and
-%N expand to the client and server hostname (or "unknown"); %s expands
-to everything we know about the server endpoint (the opposite of the %c
-sequence for client information).
-
-- Symmetry: server and client host information is now treated on equal
-footing, so that we can reuse a lot of code.
-
-- Lazy evaluation of host names, host addresses, usernames, and so on,
-to avoid doing unnecessary work.
-
-- Dropping #ifdefs for some archaic systems made the code simpler.
-
-- Dropping the FAIL pattern made the pattern matcher much simpler.  Run
-the "tcpdchk" program to scan your access control files for any uses of
-this obscure language feature.
-
-- Moving host-specific pattern matching from string_match() to the
-host_match() routine made the code more accurate.  Run the "tcpdchk"
-program to scan your access control files for any dependencies on
-undocumented or obscure language features that are gone.
-
-- daemon@host patterns trigger on clients that connect to a specific
-internet address.  This can be useful for service providers that offer
-multiple ftp or www archives on different internet addresses, all
-belonging to one and the same host (www.foo.com, ftp.bar.com, you get
-the idea).  Inspired by a discussion with Rop Gonggrijp, Cor Bosman,
-and Casper Dik, and earlier discussions with Adrian van Bloois.
-
-- The new "tcpdchk" program critcizes all your access control rules and
-inetd.conf entries. Great for spotting obscure bugs in my own hosts.xxx
-files. This program also detects hosts with name/address conflicts and
-with other DNS-related problems. See the "tcpdchk.8" manual page.
-
-- The "tcpdmatch" program replaces the poor old "try" command. The new
-program looks in your inetd.conf file and therefore produces much more
-accurate predictions. In addition, it detects hosts with name/address
-conflicts and with other DNS-related problems. See the "tcpdmatch.8"
-manual page.  The inetd.conf lookup was suggested by Everett F Batey.
-
-- In the access control tables, the `=' between option name and value
-is no longer required.
-
-- Added 60-second timeout to the safe_finger command, to cover another
-potential problem. Suggested by Peter Wemm.
-
-- Andrew Maffei provided code that works with WIN-TCP on NCR System V.4
-UNIX. It reportedly works with versions 02.02.01 and 02.03.00. The code
-pops off all streams modules above the device driver, pushes the timod
-module to get at the peer address, and then restores the streams stack
-to the initial state.
-
-Changes per release 6.3 (Mar 1994)
-==================================
-
-- Keepalives option, to get rid of stuck daemons when people turn off
-their PC while still connected. Files: options.c, hosts_options.5.
-
-- Nice option, to calm down network daemons that take away too much CPU
-time. Files: options.c, hosts_options.5.
-
-- Ultrix perversion: the environ global pointer may be null. The
-environment replacement routines now check for this. File: environ.c.
-
-- Fixed a few places that still assumed the socket is on standard
-input. Fixed some error messages that did not provide access control
-file name and line number.  File: options.c.
-
-- Just when I was going to release 6.2 I received code for Dynix/PTX.
-That code is specific to PTX 2.x, so I'll keep around my generic
-PTX code just in case. The difference is in the handling of UDP
-services.  Files:  tli_sequent.[hc].
-
-Changes per release 6.2 (Feb 1994)
-==================================
-
-- Resurrected my year-old code to reduce DNS load by appending a dot to
-the gethostbyname() argument. This feature is still experimental and it
-may go away if it causes more problems than it solves. File: socket.c.
-
-- Auxiliary code for the Pyramid, BSD universe. Karl Vogel figured out
-what was missing: yp_get_default_domain() and vfprintf(). Files:
-workarounds.c, vfprintf.c.
-
-- Improved support for Dynix/PTX. The wrapper should now be able to
-deal with all TLI over IP services. File: ptx.c.
-
-- The try command now uses the hostname that gethostbyaddr() would
-return, instead of the hostname returned by gethostbyname(). This can
-be significant on systems with NIS that have short host names in the
-hosts map. For example, gethostbyname("wzv.win.tue.nl") returns
-"wzv.win.tue.nl"; gethostbyaddr(131.155.210.17) returns "wzv", and
-that is what we should test with. File: try.c.
-
-Changes per release 6.1 (Dec 1993)
-==================================
-
-- Re-implemented all environment access routines. Most systems have
-putenv() but no setenv(), some systems have setenv() but no putenv(),
-and there are even systems that have neither setenv() nor putenv(). The
-benefit of all this is that more systems can now be treated in the same
-way. File:  environ.c.
-
-- Workaround for a weird problem with DG/UX when the wrapper is run as
-nobody (i.e. fingerd). For some reason the ioctl(fd, I_FIND, "sockmod")
-call fails even with socket-based applications. The "fix" is to always
-assume sockets when the ioctl(fd, I_FIND, "timod") call fails. File:
-fromhost.c. Thanks to Paul de Vries (vries@dutentb.et.tudelft.nl) for
-helping me to figure out this one.
-
-- Implemented a workaround for Dynix/PTX and other systems with TLI
-that lack some essential support routines. Thanks to Bugs Brouillard
-(brouill@hsuseq.humboldt.edu) for the hospitality to try things out.
-The trick is to temporarily switch to the socket API to identify the
-client, and to switch back to TLI when done.  It still does not work
-right for basic network services such as telnet. File: fromhost.c.
-
-- Easy-to-build procedures for SCO UNIX, ConvexOS with UltraNet, EP/IX,
-Dynix 3.2, Dynix/PTX. File: Makefile.
-
-- Variable rfc931 timeout. Files: rfc931.c, options.c, log_tcp.h, try.c.
-
-- Further simplification of the rfc931 code. File: rfc931.c.
-
-- The fromhost() interface stinks: I cannot change that, but at least
-the from_sock() and from_tli() functions now accept a file descriptor
-argument.
-
-- Fixed a buglet: fromhost() would pass a garbage file descriptor to
-the isastream() call.
-
-- On some systems the finger client program lives in /usr/bsd. File:
-safe_finger.c.
-
-Changes per release 6.0 (Sept 1993)
-===================================
-
-- Easy build procedures for common platforms (sun, ultrix, aix, hpux
-and others).
-
-- TLI support, System V.4 style (Solaris, DG/UX).
-
-- Username lookup integrated with the access control language.
-Selective username lookups are now the default (was: no username
-lookups).
-
-- A safer finger command for booby traps. This one solves a host of
-possible problems with automatic reverse fingers. Thanks, Borja Marcos
-(borjam@we.lc.ehu.es) for some inspiring discussions.
-
-- KNOWN pattern that matches hosts whose name and address are known.
-
-- Cleanup of diagnostics. Errors in access-control files are now shown
-with file name and line number.
-
-- With AIX 3.2, hostnames longer than 32 would be truncated.  This
-caused hostname verification failures, so that service would be refused
-when paranoid mode was enabled.  Found by:  Adrian van Bloois
-(A.vanBloois@info.nic.surfnet.nl).
-
-- With some IRIX versions, remote username lookups failed because the
-fgets() library function does not handle partial read()s from sockets.
-Found by:  Daniel O'Callaghan (danny@austin.unimelb.edu.au).
-
-- Added a DISCLAIMER document to help you satisfy legal departments.
-
-The extension language module has undergone major revisions and
-extensions.  Thanks, John P. Rouillard (rouilj@ra.cs.umb.edu) for
-discussions, experiments, and for being a good guinea pig. The
-extensions are documented in hosts_options.5, and are enabled by
-editing the Makefile STYLE macro definition.
-
-- (Extension language) The ":" separator may now occur within options
-as long as it is protected with a backslash. A warning is issued when
-a rule ends on ":".
-
-- (Extension language) Better verification mode. When the `try' command
-is run, each option function now explains what it would do.
-
-- (Extension language) New "allow" and "deny" keywords so you can now
-have all rules within a single file. See "nroff -man hosts_options.5"
-for examples.
-
-- (Extension language) "linger" keyword to set the socket linger time
-(SO_LINGER). From:  Marc Boucher <marc@cam.org>.
-
-- (Extension language) "severity" keyword to turn the logging noise up
-or down. Many sites wanted a means to shut up the program; other sites
-wanted to emphasize specific events.  Adapted from code contributed
-by Dave Mitchell <D.Mitchell@dcs.shef.ac.uk>.
-
-Changes per release 5.1 (Mar 1993)
-==================================
-
-- The additional protection against source-routing attacks from hosts
-that pretend to have someone elses network address has become optional
-because it causes kernel panics with SunOS <= 4.1.3.
-
-Changes per release 5.0 (Mar 1993)
-==================================
-
-- Additional protection against source-routing attacks from hosts that
-pretend to have someone elses network address. For example, the address
-of a trusted host within your own network.
-
-- The access control language has been extended with a simple but
-powerful operator that greatly simplifies the design of rule sets (ALL:
-.foo.edu EXCEPT dialup.foo.edu). Blank lines are permitted, and long
-lines can be continued with backslash-newline.
-
-- All configurable stuff, including path names, has been moved into the
-Makefile so that you no longer have to hack source code to just
-configure the programs.
-
-- Ported to Solaris 2. TLI-based applications not yet supported.
-Several workarounds for System V bugs.
-
-- A small loophole in the netgroup lookup code was closed, and the
-remote username lookup code was made more portable.
-
-- Still more documentation. The README file now provides tutorial
-sections with introductions to client, server, inetd and syslogd.
-
-Changes per release 4.3 (Aug 1992) 
-==================================
-
-- Some sites reported that connections would be rejected because
-localhost != localhost.domain. The host name checking code now
-special-cases localhost (problem reported by several sites).
-
-- The programs now report an error if an existing access control file
-cannot be opened (e.g. due to lack of privileges).  Until now, the
-programs would just pretend that the access control file does not exist
-(reported by Darren Reed, avalon@coombs.anu.edu.au).
-
-- The timeout period for remote userid lookups was upped to 30 seconds,
-in order to cope with slow hosts or networks.  If this is too long for
-you, adjust the TIMEOUT definition in file rfc931.c (problem reported
-by several sites).
-
-- On hosts with more than one IP network interface, remote userid
-lookups could use the IP address of the "wrong" local interface.  The
-problem and its solution were discussed on the rfc931-users mailing
-list.  Scott Schwartz (schwartz@cs.psu.edu) folded the fix into the
-rfc931.c module.
-
-- The result of % expansion (in shell commands) is now checked for
-stuff that may confuse the shell; it is replaced by underscores
-(problem reported by Icarus Sparry, I.Sparry@gdr.bath.ac.uk).
-
-- A portability problem was fixed that caused compile-time problems
-on a CRAY (problem reported by Michael Barnett, mikeb@rmit.edu.au).
-
-Changes per release 4.0 (Jun 1992)
-==================================
-
-1 - network daemons no longer have to live within a common directory
-2 - the access control code now uses both the host address and name
-3 - an access control pattern that supports netmasks
-4 - additional protection against forged host names
-5 - a pattern that matches hosts whose name or address lookup fails
-6 - an operator that prevents hosts or services from being matched
-7 - optional remote username lookup with the RFC 931 protocol
-8 - an optional umask to prevent the creation of world-writable files
-9 - hooks for access control language extensions
-10 - last but not least, thoroughly revised documentation.
-
-Changes per release 3.0 (Oct 1991)
-==================================
-
-Enhancements over the previous release are: support for datagram (UDP
-and RPC) services, and execution of shell commands when a (remote host,
-requested service) pair matches a pattern in the access control tables.
-
-Changes per release 2.0 (May 1991)
-==================================
-
-Enhancements over the previous release are: protection against rlogin
-and rsh attacks through compromised domain name servers, optional
-netgroup support for systems with NIS (formerly YP), and an extension
-of the wild card patterns supported by the access control files.
-
-Release 1.0 (Jan 1991)
diff --git a/libexec/tcpd/DISCLAIMER b/libexec/tcpd/DISCLAIMER
deleted file mode 100644
index 6b438fa4c13..00000000000
--- a/libexec/tcpd/DISCLAIMER
+++ /dev/null
@@ -1,18 +0,0 @@
-$OpenBSD: DISCLAIMER,v 1.2 2001/06/01 23:28:36 deraadt Exp $
-
-/************************************************************************
-* Copyright 1995 by Wietse Venema.  All rights reserved.  Some individual
-* files may be covered by other copyrights.
-*
-* This material was originally written and compiled by Wietse Venema at
-* Eindhoven University of Technology, The Netherlands, in 1990, 1991,
-* 1992, 1993, 1994 and 1995.
-*
-* Redistribution and use in source and binary forms, with or without
-* modification, are permitted provided that this entire copyright notice
-* is duplicated in all such copies.
-*
-* This software is provided "as is" and without any expressed or implied
-* warranties, including, without limitation, the implied warranties of
-* merchantibility and fitness for any particular purpose.
-************************************************************************/
diff --git a/libexec/tcpd/Makefile b/libexec/tcpd/Makefile
deleted file mode 100644
index 74d92bad090..00000000000
--- a/libexec/tcpd/Makefile
+++ /dev/null
@@ -1,5 +0,0 @@
-#	$OpenBSD: Makefile,v 1.2 2002/09/05 00:08:16 deraadt Exp $
-
-SUBDIR=	tcpd tcpdchk tcpdmatch
-
-.include <bsd.subdir.mk>
diff --git a/libexec/tcpd/Makefile.inc b/libexec/tcpd/Makefile.inc
deleted file mode 100644
index 8a62a4b245e..00000000000
--- a/libexec/tcpd/Makefile.inc
+++ /dev/null
@@ -1,11 +0,0 @@
-#	$OpenBSD: Makefile.inc,v 1.3 2000/10/14 00:56:14 itojun Exp $
-
-# Configuration options for libwrap.  Keep in sync with libwrap/Makefile.
-CFLAGS+=-DPROCESS_OPTIONS -DFACILITY=LOG_AUTH -DSEVERITY=LOG_INFO \
-	-DRFC931_TIMEOUT=10 -DHOSTS_ACCESS -DALWAYS_HOSTNAME \
-	-DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\" \
-	-DNETGROUP -DSYS_ERRLIST_DEFINED -DREAL_DAEMON_DIR=\"/usr/libexec\" \
-	-D_TCPD_PRIVATE
-CFLAGS+=-DINET6
-
-.include "../Makefile.inc"
diff --git a/libexec/tcpd/README b/libexec/tcpd/README
deleted file mode 100644
index 6e89e097d25..00000000000
--- a/libexec/tcpd/README
+++ /dev/null
@@ -1,1039 +0,0 @@
-$OpenBSD: README,v 1.4 2003/03/18 13:05:24 david Exp $
-@(#) README 1.30 97/03/21 19:27:21
-
-This is the 7.6 version of the TCP/IP daemon wrapper package.
-
-Thank you for using this program. If you like it, send me a postcard.
-My postal address is at the bottom of this file.
-
-Read the BLURB file for a brief summary of what is new. The CHANGES
-file gives a complete account of differences with respect to previous
-releases.
-
-Announcements of new releases of this software are posted to Usenet
-(comp.security.unix, comp.unix.admin), to the cert-tools mailing list,
-and to a dedicated mailing list.  You can subscribe to the dedicated
-mailing list by sending an email message to majordomo@wzv.win.tue.nl
-with in the body (not subject):	 subscribe tcp-wrappers-announce.
-
-Table of contents
------------------
-
-    1 - Introduction
-    2 - Disclaimer
-    3 - Tutorials
-		3.1 - How it works
-		3.2 - Where the logging information goes
-    4 - Features
-		4.1 - Access control
-		4.2 - Host name spoofing
-		4.3 - Host address spoofing
-		4.4 - Client username lookups
-		4.5 - Language extensions
-		4.6 - Multiple ftp/gopher/www archives on one host
-		4.7 - Banner messages
-		4.8 - Sequence number guessing
-    5 - Other works
-		5.1 - Related documents
-		5.2 - Related software
-    6 - Limitations
-		6.1 - Known wrapper limitations
-		6.2 - Known system software bugs
-    7 - Configuration and installation
-		7.1 - Easy configuration and installation
-		7.2 - Advanced configuration and installation
-		7.3 - Daemons with arbitrary path names
-		7.4 - Building and testing the access control rules
-		7.5 - Other applications
-    8 - Acknowledgements
-
-1 - Introduction
-----------------
-
-With this package you can monitor and filter incoming requests for the
-SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other
-network services.
-
-It supports both 4.3BSD-style sockets and System V.4-style TLI. Praise
-yourself lucky if you don't know what that means.
-
-The package provides tiny daemon wrapper programs that can be installed
-without any changes to existing software or to existing configuration
-files.	The wrappers report the name of the client host and of the
-requested service; the wrappers do not exchange information with the
-client or server applications, and impose no overhead on the actual
-conversation between the client and server applications.
-
-Optional features are: access control to restrict what systems can
-connect to what network daemons; client user name lookups with the RFC
-931 etc. protocol; additional protection against hosts that pretend to
-have someone elses host name; additional protection against hosts that
-pretend to have someone elses host address.
-
-The programs are very portable. Build procedures are provided for many
-common (and not so common) environments, and guidelines are provided in
-case your environment is not among them.
-
-Requirements are that network daemons are spawned by a super server
-such as the inetd; a 4.3BSD-style socket programming interface and/or
-System V.4-style TLI programming interface; and the availability of a
-syslog(3) library and of a syslogd(8) daemon.  The wrappers should run
-without modification on any system that satisfies these requirements.
-Workarounds have been implemented for several common bugs in systems
-software.
-
-What to do if this is your first encounter with the wrapper programs:
-1) read the tutorial sections for an introduction to the relevant
-concepts and terminology; 2) glance over the security feature sections
-in this document; 3) follow the installation instructions (easy or
-advanced). I recommend that you first use the default security feature
-settings.  Run the wrappers for a few days to become familiar with
-their logs, before doing anything drastic such as cutting off access or
-installing booby traps.
-
-2 - Disclaimer
---------------
-
-The wrapper programs rely on source address information obtained from
-network packets. This information is provided by the client host. It is
-not 100 percent reliable, although the wrappers do their best to expose
-forgeries.
-
-In the absence of cryptographic protection of message contents, and of
-cryptographic authentication of message originators, all data from the
-network should be treated with sound scepticism.
-
-THIS RESTRICTION IS BY NO MEANS SPECIFIC TO THE TCP/IP PROTOCOLS.
-
-3 - Tutorials
--------------
-
-The tutorial sections give a gentle introduction to the operation of
-the wrapper programs, and introduce some of the terminology that is
-used in the remainder of the document: client, server, the inetd and
-syslogd daemons, and their configuration files.
-
-3.1 - How it works
-------------------
-
-Almost every application of the TCP/IP protocols is based on a client-
-server model. For example, when a user invokes the telnet command to
-connect to one of your systems, a telnet server process is executed on
-the target host. The telnet server process connects the user to a login
-process. A few examples of client and server programs are shown in the
-table below:
-
-	      client   server	 application
-	      --------------------------------
-	      telnet   telnetd	 remote login
-	      ftp      ftpd	 file transfer
-	      finger   fingerd	 show users
-
-The usual approach is to run one single daemon process that waits for
-all kinds of incoming network connections. Whenever a connection is
-established, this daemon (usually called inetd) runs the appropriate
-server program and goes back to sleep, waiting for other connections.
-
-The wrapper programs rely on a simple, but powerful mechanism.	Instead
-of directly running the desired server program, the inetd is tricked
-into running a small wrapper program. The wrapper logs the client host
-name or address and performs some additional checks.  When all is well,
-the wrapper executes the desired server program and goes away.
-
-The wrapper programs have no interaction with the client user (or with
-the client process).  Nor do the wrappers interact with the server
-application. This has two major advantages: 1) the wrappers are
-application-independent, so that the same program can protect many
-kinds of network services; 2) no interaction also means that the
-wrappers are invisible from outside (at least for authorized users).
-
-Another important property is that the wrapper programs are active only
-when the initial contact between client and server is established. Once
-a wrapper has done its work there is no overhead on the client-server
-conversation.
-
-The simple mechanism has one major drawback: the wrappers go away after
-the initial contact between client and server processes, so the
-wrappers are of little use with network daemons that service more than
-one client.  The wrappers would only see the first client attempt to
-contact such a server. The NFS mount daemon is a typical example of a
-daemon that services requests from multiple clients. See the section on
-related software for ways to deal with such server programs.
-
-There are two ways to use the wrapper programs:
-
-1) The easy way: move network daemons to some other directory and fill
-   the resulting holes with copies of the wrapper programs.  This
-   approach involves no changes to system configuration files, so there
-   is very little risk of breaking things.
-
-2) The advanced way: leave the network daemons alone and modify the
-   inetd configuration file.  For example, an entry such as:
-
-     tftp  dgram  udp  wait  root  /usr/etc/tcpd  in.tftpd -s /tftpboot
-
-   When a tftp request arrives, inetd will run the wrapper program
-   (tcpd) with a process name `in.tftpd'.  This is the name that the
-   wrapper will use when logging the request and when scanning the
-   optional access control tables.  `in.tftpd' is also the name of the
-   server program that the wrapper will attempt to run when all is
-   well.  Any arguments (`-s /tftpboot' in this particular example) are
-   transparently passed on to the server program.
-
-For an account of the history of the wrapper programs, with real-life
-examples, see the section below on related documents.
-
-3.2 - Where the logging information goes
-----------------------------------------
-
-The wrapper programs send their logging information to the syslog
-daemon (syslogd). The disposition of the wrapper logs is determined by
-the syslog configuration file (usually /etc/syslog.conf). Messages are
-written to files, to the console, or are forwarded to a @loghost. Some
-syslogd versions can even forward messages down a |pipeline.
-
-Older syslog implementations (still found on Ultrix systems) only
-support priority levels ranging from 9 (debug-level messages) to 0
-(alerts). All logging information of the specified priority level or
-more urgent is written to the same destination.	 In the syslog.conf
-file, priority levels are specified in numerical form.	For example,
-
-    8/usr/spool/mqueue/syslog
-
-causes all messages with priority 8 (informational messages), and
-anything that is more urgent, to be appended to the file
-/usr/spool/mqueue/syslog.
-
-Newer syslog implementations support message classes in addition to
-priority levels.  Examples of message classes are: mail, daemon, auth
-and news. In the syslog.conf file, priority levels are specified with
-symbolic names: debug, info, notice, ..., emerg. For example,
-
-    mail.debug			/var/log/syslog
-
-causes all messages of class mail with priority debug (or more urgent)
-to be appended to the /var/log/syslog file.
-
-By default, the wrapper logs go to the same place as the transaction
-logs of the sendmail daemon. The disposition can be changed by editing
-the Makefile and/or the syslog.conf file. Send a `kill -HUP' to the
-syslogd after changing its configuration file. Remember that syslogd,
-just like sendmail, insists on one or more TABs between the left-hand
-side and the right-hand side expressions in its configuration file.
-
-Solaris 2.x note: the syslog daemon depends on the m4 macro processor.
-The m4 program is installed as part of the software developer packages.
-
-Trouble shooting note: when the syslogging does not work as expected,
-run the program by hand (`syslogd -d') and see what really happens.
-
-4 - Features
-------------
-
-4.1 - Access control
---------------------
-
-When compiled with -DHOSTS_ACCESS, the wrapper programs support a
-simple form of access control.	Access can be controlled per host, per
-service, or combinations thereof. The software provides hooks for the
-execution of shell commands when an access control rule fires; this
-feature may be used to install "booby traps".  For details, see the
-hosts_access.5 manual page, which is in `nroff -man' format. A later
-section describes how you can test your access control rules.
-
-Access control can also be used to connect clients to the "right"
-service. What is right may depend on the requested service, the origin
-of the request, and what host address the client connects to. Examples:
-
-(1) A gopher or www database speaks native language when contacted from
-    within the country, otherwise it speaks English.
-
-(2) A service provider offers different ftp, gopher or www services
-    with different internet hostnames from one host (section 4.6).
-
-Access control is enabled by default. It can be turned off by editing
-the Makefile, or by providing no access control tables. The install
-instructions below describe the Makefile editing process.
-
-The hosts_options.5 manual page (`nroff -man' format) documents an
-extended version of the access control language. The extensions are
-disabled by default. See the section below on language extensions.
-
-Later System V implementations provide the Transport Level Interface
-(TLI), a network programming interface that performs functions similar
-to the Berkeley socket programming interface.  Like Berkeley sockets,
-TLI was designed to cover multiple protocols, not just Internet.
-
-When the wrapper discovers that the TLI interface sits on top of a
-TCP/IP or UDP/IP conversation it uses this knowledge to provide the
-same functions as with traditional socket-based applications.  When
-some other protocol is used underneath TLI, the host address will be
-some universal magic cookie that may not even be usable for access
-control purposes.
-
-4.2 - Host name spoofing
-------------------------
-
-With some network applications, such as RSH or RLOGIN, the client host
-name plays an important role in the authentication process. Host name
-information can be reliable when lookups are done from a _local_ hosts
-table, provided that the client IP address can be trusted.
-
-With _distributed_ name services, authentication schemes that rely on
-host names become more problematic. The security of your system now may
-depend on some far-away DNS (domain name server) outside your own
-control. 
-
-The wrapper programs verify the client host name that is returned by
-the address->name DNS server, by asking for a second opinion.  To this
-end, the programs look at the name and addresses that are returned by
-the name->address DNS server, which may be an entirely different host. 
-
-If any name or address discrepancies are found, or if the second DNS
-opinion is not available, the wrappers assume that one of the two name
-servers is lying, and assume that the client host pretends to have
-someone elses host name.
-
-When compiled with -DPARANOID, the wrappers will always attempt to look
-up and double check the client host name, and will always refuse
-service in case of a host name/address discrepancy.  This is a
-reasonable policy for most systems.
-
-When compiled without -DPARANOID, the wrappers by default still perform
-hostname lookup. You can match hosts with a name/address discrepancy
-with the PARANOID wildcard and decide whether or not to grant service.
-
-Automatic hostname verification is enabled by default. Automatic
-hostname lookups and verification can be turned off by editing the
-Makefile. The configuration and installation section below describes
-the Makefile editing process.
-
-4.3 - Host address spoofing
----------------------------
-
-While host name spoofing can be found out by asking a second opinion,
-it is much harder to find out that a host claims to have someone elses
-network address. And since host names are deduced from network
-addresses, address spoofing is at least as effective as name spoofing.
-
-The wrapper programs can give additional protection against hosts that
-claim to have an address that lies outside their own network.  For
-example, some far-away host that claims to be a trusted host within
-your own network. Such things are possible even while the impersonated
-system is up and running.
-
-This additional protection is not an invention of my own; it has been
-present for at least five years in the BSD rsh and rlogin daemons.
-Unfortunately, that feature was added *after* 4.3 BSD came out, so that
-very few, if any, UNIX vendors have adopted it.	 Our site, and many
-other ones, has been running these enhanced daemons for several years,
-and without any ill effects.
-
-When the wrapper programs are compiled with -DKILL_IP_OPTIONS, the
-programs refuse to service TCP connections with IP source routing
-options. -DKILL_IP_OPTIONS is not needed on modern UNIX systems
-that can stop source-routed traffic in the kernel. Examples are
-4.4BSD derivatives, Solaris 2.x, and Linux. See your system manuals
-for details.
-
-If you are going to use this feature on SunOS 4.1.x you should apply
-patch 100804-03+ or 101790-something depending on your SunOS version.
-Otherwise you may experience "BAD TRAP" and "Data fault" panics when
-the getsockopt() system call is executed after a TCP RESET has been
-received. This is a kernel bug, it is not the fault of the wrappers.
-
-The feature is disabled by default. It can be turned on by editing the
-Makefile.  The configuration and installation section below describes
-the Makefile editing process.
-
-UDP services do not benefit from this additional protection. With UDP,
-all you can be certain of is the network packet's destination address.
-
-4.4 - Client username lookups
------------------------------
-
-The protocol proposed in RFC 931 provides a means to obtain the client
-user name from the client host.	 The requirement is that the client
-host runs an RFC 931-compliant daemon. The information provided by such
-a daemon is not intended to be used for authentication purposes, but it
-can provide additional information about the owner of a TCP connection.
-
-The RFC 931 protocol has diverged into different directions (IDENT,
-TAP, RFC 1413). To add to the confusion, they all use the same network
-port.  The daemon wrappers implement a common subset of the protocols.
-
-There are some limitations: the number of hosts that run an RFC 931 (or
-compatible) daemon is limited (but growing); client user name lookups
-do not work for datagram (UDP) services. More seriously, client user
-name lookups can cause noticeable delays with connections from non-UNIX
-PCs. Recent PC software seem to have fixed this (for example NCSA
-telnet). The wrappers use a 10-second timeout for RFC931 lookups, to
-accommodate slow networks and slow hosts.
-
-By default, the wrappers will do username lookup only when the access
-control rules require them to do so (via user@host client patterns, see
-the hosts_access.5 manual page) or when the username is needed for
-%<letter> expansions.
-
-You can configure the wrappers to always perform client username
-lookups, by editing the Makefile.  The client username lookup timeout
-period (10 seconds default) can be changed by editing the Makefile. The
-installation sections below describe the Makefile editing process.
-
-On System V with TLI-based network services, client username lookups
-will be possible only when the underlying network protocol is TCP/IP.
-
-4.5 - Language extensions
--------------------------
-
-The wrappers sport only a limited number of features. This is for a
-good reason: programs that run at high privilege levels must be easy to
-verify. And the smaller a program, the easier to verify. There is,
-however, a provision to add features.
-
-The options.c module provides a framework for language extensions.
-Quite a few extensions have already been implemented; they are
-documented in the hosts_options.5 document, which is in `nroff -man'
-format. Examples: changing the severity level at which a request for
-service is logged; "allow" and "deny" keywords; running a customized
-server instead of the standard one; many others.
-
-The language extensions are not enabled by default because they
-introduce an incompatible change to the access control language
-syntax.	 Instructions to enable the extensions are given in the
-Makefile.
-
-4.6 - Multiple ftp/gopher/www archives on one host
---------------------------------------------------
-
-Imagine one host with multiple internet addresses. These addresses do
-not need to have the same internet hostname. Thus, it is possible to
-offer services with different internet hostnames from just one host.
-
-Service providers can use this to offer organizations a presence on the
-"net" with their own internet hostname, even when those organizations
-aren't connected to the Internet at all.  To the end user it makes no
-difference, because applications use internet hostnames.
-
-There are several ways to assign multiple addresses to one machine.
-The nice way is to take an existing network interface and to assign
-additional internet addresses with the `ifconfig' command. Examples:
-
-    Solaris 2:	ifconfig le0:1 <address> netmask <mask> up
-    4.4 BSD:	ifconfig en0 alias <address> netmask <mask>
-
-On other systems one has to increase the number of network interfaces:
-either with hardware interfaces, or with pseudo interfaces like SLIP or
-PPP.  The interfaces do not need to be attached to anything. They just
-need to be up and to be assigned a suitable internet address and mask.
-
-With the wrapper software, `daemon@host' access control patterns can be
-used to distinguish requests by the network address that they are aimed
-at.  Judicious use of the `twist' option (see the hosts_options.5 file,
-`nroff -man' format) can guide the requests to the right server.  These
-can be servers that live in separate chroot areas, or servers modified
-to take additional context from the command line, or a combination.
-
-Another way is to modify gopher or www listeners so that they bind to
-only one specific network address. Multiple gopher or www servers can
-then be run side by side, each taking requests sent to its respective
-network address.
-
-4.7 - Banner messages
----------------------
-
-Some sites are required to present an informational message to users
-before they attempt to login.  Banner messages can also be useful when
-denying service:  instead of simply dropping the connection a polite
-explanation is given first. Finally, banners can be used to give your
-system a more personal touch.
-
-The wrapper software provides easy-to-use tools to generate pre-login
-banners for ftp, telnet, rlogin etc. from a single prototype banner
-textfile.  Details on banners and on-the-fly %<letter> expansions are
-given in the hosts_options.5 manual page (`nroff -man' format). An
-example is given in the file Banners.Makefile.
-
-In order to support banner messages the wrappers have to be built with
-language extensions enabled. See the section on language extensions.
-
-4.8 - Sequence number guessing
-------------------------------
-
-Recently, systems came under attack from intruders that exploited a
-well-known weakness in TCP/IP sequence number generators.  This
-weakness allows intruders to impersonate trusted hosts. Break-ins have
-been reported via the rsh service. In fact, any network service can be
-exploited that trusts the client host name or address.
-
-A long-term solution is to stop using network services that trust the
-client host name or address, and to use data encryption instead.
-
-A short-term solution, as outlined in CERT advisory CA-95:01, is to
-configure network routers so that they discard datagrams from "outside"
-with an "inside" source address. This approach is most fruitful when
-you do not trust any hosts outside your local network.
-
-The IDENT (RFC931 etc.) client username lookup protocol can help to
-detect host impersonation attacks.  Before accepting a client request,
-the wrappers can query the client's IDENT server and find out that the
-client never sent that request.
-
-When the client host provides IDENT service, a negative IDENT lookup
-result (the client matches `UNKNOWN@host') is strong evidence of a host
-impersonation attack.
-
-A positive IDENT lookup result (the client matches `KNOWN@host') is
-less trustworthy.  It is possible for an attacker to spoof both the
-client request and the IDENT lookup connection, although doing so
-should be much harder than spoofing just a client request. Another
-possibility is that the client's IDENT server is lying.
-
-Client username lookups are described in more detail in a previous
-section. Pointers to IDENT daemon software are described in the section
-on related software.
-
-5 - Other works
----------------
-
-5.1 - Related documents
------------------------
-
-The war story behind the tcp wrapper tools is described in:
-
-    W.Z. Venema, "TCP WRAPPER, network monitoring, access control and
-    booby traps", UNIX Security Symposium III Proceedings (Baltimore),
-    September 1992. 
-
-    ftp.win.tue.nl:/pub/security/tcp_wrapper.ps.Z (postscript)
-    ftp.win.tue.nl:/pub/security/tcp_wrapper.txt.Z (flat text)
-
-The same cracker is also described in:
-
-    W.R. Cheswick, "An Evening with Berferd, In Which a Cracker is
-    Lured, Endured, and Studied", Proceedings of the Winter USENIX
-    Conference (San Francisco), January 1992.
-
-    research.att.com:/dist/internet_security/berferd.ps
-
-An updated version of the latter paper appeared in:
-
-    W.R. Cheswick, S.M. Bellovin, "Firewalls and Internet Security",
-    Addison-Wesley, 1994.
-
-Discussions on internet firewalls are archived on ftp.greatcircle.com.
-Subscribe to the mailing list by sending a message to 
-
-    majordomo@greatcircle.com
-
-With in the body (not subject): subscribe firewalls.
-
-5.2 - Related software
-----------------------
-
-Network daemons etc. with enhanced logging capabilities can generate
-massive amounts of information: our 150+ workstations generate several
-hundred kbytes each day. egrep-based filters can help to suppress some
-of the noise.  A more powerful tool is the Swatch monitoring system by
-Stephen E. Hansen and E. Todd Atkins. Swatch can process log files in
-real time and can associate arbitrary actions with patterns; its
-applications are by no means restricted to security.  Swatch is
-available ftp.stanford.edu, directory /general/security-tools/swatch.
-
-Socks, described in the UNIX Security III proceedings, can be used to
-control network traffic from hosts on an internal network, through a
-firewall host, to the outer world. Socks consists of a daemon that is
-run on the firewall host, and of a library with routines that redirect
-application socket calls through the firewall daemon.  Socks is
-available from s1.gov in /pub/firewalls/socks.tar.Z.
-
-For a modified Socks version by Ying-Da Lee (ylee@syl.dl.nec.com) try
-ftp.nec.com, directory /pub/security/socks.cstc.
-
-Tcpr is a set of perl scripts by Paul Ziemba that enable you to run ftp
-and telnet commands across a firewall. Unlike socks it can be used with
-unmodified client software. Available from ftp.alantec.com, /pub/tcpr.
-
-The TIS firewall toolkit provides a multitude of tools to build your
-own internet firewall system. ftp.tis.com, directory /pub/firewalls.
-
-Versions of rshd and rlogind, modified to report the client user name
-in addition to the client host name, are available for anonymous ftp
-(ftp.win.tue.nl:/pub/security/logdaemon-XX.tar.Z).  These programs are
-drop-in replacements for SunOS 4.x, Ultrix 4.x, SunOS 5.x and HP-UX
-9.x. This archive also contains ftpd/rexecd/login versions that support
-S/Key or SecureNet one-time passwords in addition to traditional UNIX
-reusable passwords.
-
-The securelib shared library by William LeFebvre can be used to control
-access to network daemons that are not run under control of the inetd
-or that serve more than one client, such as the NFS mount daemon that
-runs until the machine goes down.  Available from eecs.nwu.edu, file
-/pub/securelib.tar.
-
-xinetd (posted to comp.sources.unix) is an inetd replacement that
-provides, among others, logging, username lookup and access control.
-However, it does not support the System V TLI services, and involves
-much more source code than the daemon wrapper programs. Available
-from ftp.uu.net, directory /usenet/comp.sources.unix.
-
-netlog from Texas A&M relies on the SunOS 4.x /dev/nit interface to
-passively watch all TCP and UDP network traffic on a network.  The
-current version is on net.tamu.edu in /pub/security/TAMU.
-
-Where shared libraries or router-based packet filtering are not an
-option, an alternative portmap daemon can help to prevent hackers
-from mounting your NFS file systems using the proxy RPC facility.
-ftp.win.tue.nl:/pub/security/portmap-X.shar.Z was tested with SunOS
-4.1.X Ultrix 3.0 and Ultrix 4.x, HP-UX 8.x and some version of AIX. The
-protection is less effective than that of the securelib library because
-portmap is mostly a dictionary service.
-
-An rpcbind replacement (the Solaris 2.x moral equivalent of portmap)
-can be found on ftp.win.tue.nl in /pub/security. It prevents hackers
-from mounting your NFS file systems by using the proxy RPC facility.
-
-Source for a portable RFC 931 (TAP, IDENT, RFC 1413) daemon by Peter
-Eriksson is available from ftp.lysator.liu.se:/pub/ident/servers.
-
-Some TCP/IP implementations come without syslog library. Some come with
-the library but have no syslog daemon. A replacement can be found in
-ftp.win.tue.nl:/pub/security/surrogate-syslog.tar.Z.  The fakesyslog
-library that comes with the nntp sources reportedly works well, too.
-
-6 - Limitations
----------------
-
-6.1 - Known wrapper limitations
--------------------------------
-
-Many UDP (and rpc/udp) daemons linger around for a while after they
-have serviced a request, just in case another request comes in.	 In the
-inetd configuration file these daemons are registered with the `wait'
-option. Only the request that started such a daemon will be seen by the
-wrappers.  Such daemons are better protected with the securelib shared
-library (see: Related software).
-
-The wrappers do not work with RPC services over TCP. These services are
-registered as rpc/tcp in the inetd configuration file. The only non-
-trivial service that is affected by this limitation is rexd, which is
-used by the on(1) command. This is no great loss.  On most systems,
-rexd is less secure than a wildcard in /etc/hosts.equiv.
-
-Some RPC requests (for example: rwall, rup, rusers) appear to come from
-the server host. What happens is that the client broadcasts its request
-to all portmap daemons on its network; each portmap daemon forwards the
-request to a daemon on its own system. As far as the rwall etc.	 daemons
-know, the request comes from the local host.
-
-Portmap and RPC (e.g. NIS and NFS) (in)security is a topic in itself.
-See the section in this document on related software.
-
-6.2 - Known system software bugs
---------------------------------
-
-Workarounds have been implemented for several bugs in system software.
-They are described in the Makefile. Unfortunately, some system software
-bugs cannot be worked around. The result is loss of functionality.
-
-IRIX has so many bugs that it has its own README.IRIX file.
-
-Older ConvexOS versions come with a broken recvfrom(2) implementation.
-This makes it impossible for the daemon wrappers to look up the
-client host address (and hence, the name) in case of UDP requests.
-A patch is available for ConvexOS 10.1; later releases should be OK.
-
-With early Solaris (SunOS 5) versions, the syslog daemon will leave
-behind zombie processes when writing to logged-in users.  Workaround:
-increase the syslogd threshold for logging to users, or reduce the
-wrapper's logging severity.
-
-On some systems, the optional RFC 931 etc. client username lookups may
-trigger a kernel bug.  When a client host connects to your system, and
-the RFC 931 connection from your system to that client is rejected by a
-router, your kernel may drop all connections with that client.	This is
-not a bug in the wrapper programs: complain to your vendor, and don't
-enable client user name lookups until the bug has been fixed.
-
-Reportedly, SunOS 4.1.1, Next 2.0a, ISC 3.0 with TCP 1.3, and AIX 3.2.2
-and later are OK.
-
-Sony News/OS 4.51, HP-UX 8-something and Ultrix 4.3 still have the bug.
-Reportedly, a fix for Ultrix is available (CXO-8919).
-
-The following procedure can be used (from outside the tue.nl domain) to
-find out if your kernel has the bug. From the system under test, do:
-
-	% ftp 131.155.70.19
-
-This command attempts to make an ftp connection to our anonymous ftp
-server (ftp.win.tue.nl).  When the connection has been established, run
-the following command from the same system under test, while keeping
-the ftp connection open:
-
-	% telnet 131.155.70.19 111
-
-Do not forget the `111' at the end of the command. This telnet command
-attempts to connect to our portmap process.  The telnet command should
-fail with:  "host not reachable", or with a timeout error. If your ftp
-connection gets messed up, you have the bug. If the telnet command does
-not fail, please let me know a.s.a.p.!
-
-For those who care, the bug is that the BSD kernel code was not careful
-enough with incoming ICMP UNREACHABLE control messages (it ignored the
-local and remote port numbers, and therefore zapped *all* connections
-with the remote system). The bug is still present in the BSD NET/1
-source release (1989) but apparently has been fixed in BSD NET/2 (1991). 
-
-7 - Configuration and installation
-----------------------------------
-
-7.1 - Easy configuration and installation
------------------------------------------
-
-The "easy" recipe requires no changes to existing software or
-configuration files.  Basically, you move the daemons that you want to
-protect to a different directory and plug the resulting holes with
-copies of the wrapper programs.
-
-If you don't run Ultrix, you won't need the miscd wrapper program.  The
-miscd daemon implements among others the SYSTAT service, which produces
-the same output as the WHO command.
-
-Type `make' and follow the instructions.  The Makefile comes with
-ready-to-use templates for many common UNIX implementations (sun,
-ultrix, hp-ux, aix, irix,...). 
-
-IRIX has so many bugs that it has its own README.IRIX file.
-
-When the `make' succeeds the result is five executables (six in case of
-Ultrix).
-
-You can use the `tcpdchk' program to identify the most common problems
-in your wrapper and inetd configuration files.	
-
-With the `tcpdmatch' program you can examine how the wrapper would
-react to specific requests for service.	 
-
-The `safe_finger' command should be used when you implement booby
-traps:	it gives better protection against nasty stuff that remote
-hosts may do in response to your finger probes.
-
-The `try-from' program tests the host and username lookup code.	 Run it
-from a remote shell command (`rsh host /some/where/try-from') and it
-should be able to figure out from what system it is being called.
-
-The tcpd program can be used to monitor the telnet, finger, ftp, exec,
-rsh, rlogin, tftp, talk, comsat and other tcp or udp services that have
-a one-to-one mapping onto executable files.
-
-The tcpd program can also be used for services that are marked as
-rpc/udp in the inetd configuration file, but not for rpc/tcp services
-such as rexd.  You probably do not want to run rexd anyway. On most
-systems it is even less secure than a wildcard in /etc/hosts.equiv.
-
-With System V.4-style systems, the tcpd program can also handle TLI
-services. When TCP/IP or UDP/IP is used underneath TLI, tcpd provides
-the same functions as with socket-based applications. When some other
-protocol is used underneath TLI, functionality will be limited (no
-client username lookups, weird network address formats).
-
-Decide which services you want to monitor. Move the corresponding
-vendor-provided daemon programs to the location specified by the
-REAL_DAEMON_DIR constant in the Makefile, and fill the holes with
-copies of the tcpd program. That is, one copy of (or link to) the tcpd
-program for each service that you want to monitor. For example, to
-monitor the use of your finger service:
-
-    # mkdir REAL_DAEMON_DIR
-    # mv /usr/etc/in.fingerd REAL_DAEMON_DIR
-    # cp tcpd /usr/etc/in.fingerd
-
-The example applies to SunOS 4. With other UNIX implementations the
-network daemons live in /usr/libexec, /usr/sbin or in /etc, or have no
-"in." prefix to their names, but you get the idea.
-
-File protections: the wrapper, all files used by the wrapper, and all
-directories in the path leading to those files, should be accessible
-but not writable for unprivileged users (mode 755 or mode 555). Do not
-install the wrapper set-uid.
-
-Ultrix only:  If you want to monitor the SYSTAT service, move the
-vendor-provided miscd daemon to the location specified by the
-REAL_DAEMON_DIR macro in the Makefile, and install the miscd wrapper
-at the original miscd location.
-
-In the absence of any access-control tables, the daemon wrappers
-will just maintain a record of network connections made to your system.
-
-7.2 - Advanced configuration and installation
----------------------------------------------
-
-The advanced recipe leaves your daemon executables alone, but involves
-simple modifications to the inetd configuration file.
-
-Type `make' and follow the instructions.  The Makefile comes with
-ready-to-use templates for many common UNIX implementations (sun,
-ultrix, hp-ux, aix, irix, ...). 
-
-IRIX users should read the warnings in the README.IRIX file first.
-
-When the `make' succeeds the result is five executables (six in case of
-Ultrix).
-
-You can use the `tcpdchk' program to identify the most common problems
-in your wrapper and inetd configuration files.	
-
-With the `tcpdmatch' program you can examine how the wrapper would
-react to specific requests for service.	 
-
-The `try-from' program tests the host and username lookup code.	 Run it
-from a remote shell command (`rsh host /some/where/try-from') and it
-should be able to figure out from what system it is being called.
-
-The `safe_finger' command should be used when you implement a booby
-trap:  it gives better protection against nasty stuff that remote hosts
-may do in response to your finger probes.
-
-The tcpd program can be used to monitor the telnet, finger, ftp, exec,
-rsh, rlogin, tftp, talk, comsat and other tcp or udp services that have
-a one-to-one mapping onto executable files.
-
-With System V.4-style systems, the tcpd program can also handle TLI
-services. When TCP/IP or UDP/IP is used underneath TLI, tcpd provides
-the same functions as with socket-based applications. When some other
-protocol is used underneath TLI, functionality will be limited (no
-client username lookups, weird network address formats).
-
-The tcpd program can also be used for services that are marked as
-rpc/udp in the inetd configuration file, but not for rpc/tcp services
-such as rexd.  You probably do not want to run rexd anyway. On most
-systems it is even less secure than a wildcard in /etc/hosts.equiv.
-
-Install the tcpd command in a suitable place. Apollo UNIX users will
-want to install it under a different name because the name "tcpd" is
-already taken; a suitable name would be "frontd".  
-
-File protections: the wrapper, all files used by the wrapper, and all
-directories in the path leading to those files, should be accessible
-but not writable for unprivileged users (mode 755 or mode 555). Do not
-install the wrapper set-uid.
-
-Then perform the following edits on the inetd configuration file
-(usually /etc/inetd.conf or /etc/inet/inetd.conf):
-
-    finger  stream  tcp	    nowait  nobody  /usr/etc/in.fingerd	    in.fingerd
-					    ^^^^^^^^^^^^^^^^^^^
-becomes:
-
-    finger  stream  tcp	    nowait  nobody  /usr/etc/tcpd	    in.fingerd
-					    ^^^^^^^^^^^^^
-Send a `kill -HUP' to the inetd process to make the change effective.
-Some IRIX inetd implementations require that you first disable the
-finger service (comment out the finger service and `kill -HUP' the
-inetd) before you can turn on the modified version. Sending a HUP
-twice seems to work just as well for IRIX 5.3, 6.0, 6.0.1 and 6.1.
-
-AIX note: you may have to execute the `inetimp' command after changing
-the inetd configuration file.
-
-The example applies to SunOS 4. With other UNIX implementations the
-network daemons live in /usr/libexec, /usr/sbin, or /etc, the network
-daemons have no "in." prefix to their names, or the username field in
-the inetd configuration file may be missing.
-
-When the finger service works as expected you can perform similar
-changes for other network services. Do not forget the `kill -HUP'.
-
-The miscd daemon that comes with Ultrix implements several network
-services. It decides what to do by looking at its process name. One of
-the services is systat, which is a kind of limited finger service.  If
-you want to monitor the systat service, install the miscd wrapper in a
-suitable place and update the inetd configuration file:
-
-    systat  stream  tcp	    nowait  /suitable/place/miscd      systatd
-
-Ultrix 4.3 allows you to specify a user id under which the daemon will
-be executed. This feature is not documented in the manual pages.  Thus,
-the example would become:
-
-    systat  stream  tcp	    nowait  nobody /suitable/place/miscd    systatd
-
-Older Ultrix systems still run all their network daemons as root.
-
-In the absence of any access-control tables, the daemon wrappers
-will just maintain a record of network connections made to your system.
-
-7.3 - Daemons with arbitrary path names
----------------------------------------
-
-The above tcpd examples work fine with network daemons that live in a
-common directory, but sometimes that is not practical. Having soft
-links all over your file system is not a clean solution, either.
-
-Instead you can specify, in the inetd configuration file, an absolute
-path name for the daemon process name.	For example,
-
-    ntalk   dgram   udp	    wait    root    /usr/etc/tcpd /usr/local/lib/ntalkd
-
-When the daemon process name is an absolute path name, tcpd ignores the
-value of the REAL_DAEMON_DIR constant, and uses the last path component
-of the daemon process name for logging and for access control.
-
-7.4 - Building and testing the access control rules
----------------------------------------------------
-
-In order to support access control the wrappers must be compiled with
-the -DHOSTS_ACCESS option. The access control policy is given in the
-form of two tables (default: /etc/hosts.allow and /etc/hosts.deny).
-Access control is disabled when there are no access control tables, or
-when the tables are empty.
-
-If you haven't used the wrappers before I recommend that you first run
-them a couple of days without any access control restrictions. The
-logfile records should give you an idea of the process names and of the
-host names that you will have to build into your access control rules.
-
-The syntax of the access control rules is documented in the file
-hosts_access.5, which is in `nroff -man' format. This is a lengthy
-document, and no-one expects you to read it right away from beginning
-to end.	 Instead, after reading the introductory section, skip to the
-examples at the end so that you get a general idea of the language.
-Then you can appreciate the detailed reference sections near the
-beginning of the document.
-
-The examples in the hosts_access.5 document (`nroff -man' format) show
-two specific types of access control policy:  1) mostly closed (only
-permitting access from a limited number of systems) and 2) mostly open
-(permitting access from everyone except a limited number of trouble
-makers). You will have to choose what model suits your situation best.
-Implementing a mixed policy should not be overly difficult either.
-
-Optional extensions to the access control language are described in the
-hosts_options.5 document (`nroff -man' format).
-
-The `tcpdchk' program examines all rules in your access control files
-and reports any problems it can find. `tcpdchk -v' writes to standard
-output a pretty-printed list of all rules. `tcpdchk -d' examines the
-hosts.access and hosts.allow files in the current directory. This
-program is described in the tcpdchk.8 document (`nroff -man' format).
-
-The `tcpdmatch' command can be used to try out your local access
-control files.	The command syntax is:
-
-    tcpdmatch process_name hostname (e.g.: tcpdmatch in.tftpd localhost)
-
-    tcpdmatch process_name address  (e.g.: tcpdmatch in.tftpd 127.0.0.1)
-
-This way you can simulate what decisions will be made, and what actions
-will be taken, when hosts connect to your own system. The program is
-described in the tcpdmatch.8 document (`nroff -man' format).
-
-Note 1: `tcpdmatch -d' will look for hosts.{allow,deny} tables in the
-current working directory. This is useful for testing new rules without
-bothering your users.
-
-Note 2: you cannot use the `tcpdmatch' command to simulate what happens
-when the local system connects to other hosts.
-
-In order to find out what process name to use, just use the service and
-watch the process name that shows up in the logfile.  Alternatively,
-you can look up the name from the inetd configuration file. Coming back
-to the tftp example in the tutorial section above:
-
-    tftp  dgram	 udp  wait  root  /usr/etc/tcpd	 in.tftpd -s /tftpboot
-
-This entry causes the inetd to run the wrapper program (tcpd) with a
-process name `in.tftpd'.  This is the name that the wrapper will use
-when scanning the access control tables. Therefore, `in.tftpd' is the
-process name that should be given to the `tcpdmatch' command. On your
-system the actual inetd.conf entry may differ (tftpd instead of
-in.tftpd, and no `root' field), but you get the idea.
-
-When you specify a host name, the `tcpdmatch' program will use both the
-host name and address. This way you can simulate the most common case
-where the wrappers know both the host address and the host name.  The
-`tcpdmatch' program will iterate over all addresses that it can find
-for the given host name.
-
-When you specify a host address instead of a host name, the `tcpdmatch'
-program will pretend that the host name is unknown, so that you can
-simulate what happens when the wrapper is unable to look up the client
-host name.
-
-7.5 - Other applications
-------------------------
-
-The access control routines can easily be integrated with other
-programs.  The hosts_access.3 manual page (`nroff -man' format)
-describes the external interface of the libwrap.a library.
-
-The tcpd program can even be used to control access to the mail
-service.  This can be useful when you suspect that someone is trying
-out some obscure sendmail bug, or when a remote site is misconfigured
-and keeps hammering your mail daemon.
-
-In that case, sendmail should not be run as a stand-alone network
-listener, but it should be registered in the inetd configuration file.
-For example:
-
-    smtp    stream  tcp	    nowait  root    /usr/etc/tcpd /usr/lib/sendmail -bs
-
-You will still need to run one sendmail background process to handle
-queued-up outgoing mail. A command like:
-
-    /usr/lib/sendmail -q15m
-
-(no `-bd' flag) should take care of that. You cannot really prevent
-people from posting forged mail this way, because there are many
-unprotected smtp daemons on the network.
-
-8 - Acknowledgements
---------------------
-
-Many people contributed to the evolution of the programs, by asking
-inspiring questions, by suggesting features or bugfixes, or by
-submitting source code.	 Nevertheless, all mistakes and bugs in the
-wrappers are my own.
-
-Thanks to Brendan Kehoe (cs.widener.edu), Heimir Sverrisson (hafro.is)
-and Dan Bernstein (kramden.acf.nyu.edu) for feedback on an early
-release of this product.  The host name/address check was suggested by
-John Kimball (src.honeywell.com).  Apollo's UNIX environment has some
-peculiar quirks: Willem-Jan Withagen (eb.ele.tue.nl), Pieter
-Schoenmakers (es.ele.tue.nl) and Charles S. Fuller (wccs.psc.edu)
-provided assistance.  Hal R.  Brand (addvax.llnl.gov) told me how to
-get the client IP address in case of datagram-oriented services, and
-suggested the optional shell command feature.  Shabbir Safdar
-(mentor.cc.purdue.edu) provided a first version of a much-needed manual
-page.  Granville Boman Goza, IV (sei.cmu.edu) suggested to use the
-client IP address even when the host name is available.	 Casper H.S.
-Dik (fwi.uva.nl) provided additional insight into DNS spoofing
-techniques.  The bogus daemon feature was inspired by code from Andrew
-Macpherson (BNR Europe Ltd).  Steve Bellovin (research.att.com)
-confirmed some of my suspicions about the darker sides of TCP/IP
-insecurity. Risks of automated fingers were pointed out by Borja Marcos
-(we.lc.ehu.es). Brad Plecs (jhuspo.ca.jhu.edu) was kind enough to try
-my early TLI code and to work out how DG/UX differs from Solaris.
-
-John P.	 Rouillard (cs.umb.edu) deserves special mention for his
-persistent, but constructive, nagging about wrong or missing things,
-and for trying out and discussing embryonic code or ideas.
-
-Last but not least, Howard Chu (hanauma.jpl.nasa.gov), Darren Reed
-(coombs.anu.edu.au), Icarus Sparry (gdr.bath.ac.uk), Scott Schwartz
-(cs.psu.edu), John A. Kunze (violet.berkeley.edu), Daniel Len Schales
-(engr.latech.edu), Chris Turbeville (cse.uta.edu), Paul Kranenburg
-(cs.few.eur.nl), Marc Boucher (cam.org), Dave Mitchell
-(dcs.shef.ac.uk), Andrew Maffei, Adrian van Bloois, Rop Gonggrijp, John
-C. Wingenbach, Everett F. Batey	 and many, many others provided fixes,
-code fragments, or ideas for improvements.
-
-	Wietse Venema (wietse@wzv.win.tue.nl)
-	Department of Mathematics and Computing Science
-	Eindhoven University of Technology
-	P.O. Box 513
-	5600 MB Eindhoven
-	The Netherlands
-
-	Currently visiting IBM T.J. Watson Research, Hawthorne NY, USA.
diff --git a/libexec/tcpd/safe_finger/Makefile b/libexec/tcpd/safe_finger/Makefile
deleted file mode 100644
index 86fcffc4573..00000000000
--- a/libexec/tcpd/safe_finger/Makefile
+++ /dev/null
@@ -1,6 +0,0 @@
-#	$OpenBSD: Makefile,v 1.2 1997/06/24 02:12:23 downsj Exp $
-
-PROG=	safe_finger
-MAN=	safe_finger.8
-
-.include <bsd.prog.mk>
diff --git a/libexec/tcpd/safe_finger/safe_finger.8 b/libexec/tcpd/safe_finger/safe_finger.8
deleted file mode 100644
index 7c70989c4ed..00000000000
--- a/libexec/tcpd/safe_finger/safe_finger.8
+++ /dev/null
@@ -1,54 +0,0 @@
-.\"	$OpenBSD: safe_finger.8,v 1.10 2007/05/31 19:19:41 jmc Exp $
-.\"
-.\" Copyright (c) 1997, Jason Downs.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS
-.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-.\" DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT,
-.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 31 2007 $
-.Dt SAFE_FINGER 8
-.Os
-.Sh NAME
-.Nm safe_finger
-.Nd TCP wrapper for finger program
-.Sh SYNOPSIS
-.Nm safe_finger
-.Op Ar arguments
-.Sh DESCRIPTION
-.Nm
-is simply a wrapper around the
-.Xr finger 1
-program, meant for use in
-.Xr tcpd 8
-rulesets.
-It accepts exactly the same arguments as
-.Xr finger 1 .
-.Sh SEE ALSO
-.Xr finger 1 ,
-.Xr tcpd 8
-.Sh AUTHORS
-.Bd -unfilled -offset indent
-Wietse Venema (wietse@wzv.win.tue.nl),
-Department of Mathematics and Computing Science,
-Eindhoven University of Technology
-Den Dolech 2, P.O. Box 513,
-5600 MB Eindhoven, The Netherlands
-.Ed
diff --git a/libexec/tcpd/safe_finger/safe_finger.c b/libexec/tcpd/safe_finger/safe_finger.c
deleted file mode 100644
index 6b4c4a8858a..00000000000
--- a/libexec/tcpd/safe_finger/safe_finger.c
+++ /dev/null
@@ -1,198 +0,0 @@
-/*	$OpenBSD: safe_finger.c,v 1.4 2009/10/27 23:59:31 deraadt Exp $	*/
-
- /*
-  * safe_finger - finger client wrapper that protects against nasty stuff
-  * from finger servers. Use this program for automatic reverse finger
-  * probes, not the raw finger command.
-  * 
-  * Build with: cc -o safe_finger safe_finger.c
-  * 
-  * The problem: some programs may react to stuff in the first column. Other
-  * programs may get upset by thrash anywhere on a line. File systems may
-  * fill up as the finger server keeps sending data. Text editors may bomb
-  * out on extremely long lines. The finger server may take forever because
-  * it is somehow wedged. The code below takes care of all this badness.
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-/* System libraries */
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/wait.h>
-#include <signal.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <ctype.h>
-#include <pwd.h>
-
-/* Local stuff */
-
-char    path[] = "PATH=/bin:/usr/bin:/usr/sbin:/sbin";
-
-#define	TIME_LIMIT	60		/* Do not keep listinging forever */
-#define	INPUT_LENGTH	100000		/* Do not keep listinging forever */
-#define	LINE_LENGTH	128		/* Editors can choke on long lines */
-#define	FINGER_PROGRAM	"finger"	/* Most, if not all, UNIX systems */
-#define	UNPRIV_NAME	"nobody"	/* Preferred privilege level */
-#define	UNPRIV_UGID	32767		/* Default uid and gid */
-
-int     finger_pid;
-
-int	pipe_stdin(char **);
-
-void    cleanup(sig)
-int     sig;
-{
-    kill(finger_pid, SIGKILL);
-    _exit(0);
-}
-
-int main(argc, argv)
-int     argc;
-char  **argv;
-{
-    int     c;
-    int     line_length = 0;
-    int     finger_status;
-    int     wait_pid;
-    int     input_count = 0;
-    struct passwd *pwd;
-
-    /*
-     * First of all, let's don't run with superuser privileges.
-     */
-    if (getuid() == 0 || geteuid() == 0) {
-	if ((pwd = getpwnam(UNPRIV_NAME)) && pwd->pw_uid > 0) {
-	    setgid(pwd->pw_gid);
-	    setuid(pwd->pw_uid);
-	} else {
-	    setgid(UNPRIV_UGID);
-	    setuid(UNPRIV_UGID);
-	}
-    }
-
-    /*
-     * Redirect our standard input through the raw finger command.
-     */
-    if (putenv(path)) {
-	fprintf(stderr, "%s: putenv: out of memory", argv[0]);
-	exit(1);
-    }
-    argv[0] = FINGER_PROGRAM;
-    finger_pid = pipe_stdin(argv);
-
-    /*
-     * Don't wait forever (Peter Wemm <peter@gecko.DIALix.oz.au>).
-     */
-    signal(SIGALRM, cleanup);
-    (void) alarm(TIME_LIMIT);
-
-    /*
-     * Main filter loop.
-     */
-    while ((c = getchar()) != EOF) {
-	if (input_count++ >= INPUT_LENGTH) {	/* don't listen forever */
-	    fclose(stdin);
-	    printf("\n\n Input truncated to %d bytes...\n", input_count - 1);
-	    break;
-	}
-	if (c == '\n') {			/* good: end of line */
-	    putchar(c);
-	    line_length = 0;
-	} else {
-	    if (line_length >= LINE_LENGTH) {	/* force end of line */
-		printf("\\\n");
-		line_length = 0;
-	    }
-	    if (line_length == 0) {		/* protect left margin */
-		putchar(' ');
-		line_length++;
-	    }
-	    if (isascii(c) && (isprint(c) || isspace(c))) {	/* text */
-		if (c == '\\') {
-		    putchar(c);
-		    line_length++;
-		}
-		putchar(c);
-		line_length++;
-	    } else {				/* quote all other thash */
-		printf("\\%03o", c & 0377);
-		line_length += 4;
-	    }
-	}
-    }
-
-    /*
-     * Wait until the finger child process has terminated and account for its
-     * exit status. Which will always be zero on most systems.
-     */
-    while ((wait_pid = wait(&finger_status)) != -1 && wait_pid != finger_pid)
-	 /* void */ ;
-    return (wait_pid != finger_pid || finger_status != 0);
-}
-
-/* perror_exit - report system error text and terminate */
-
-void    perror_exit(text)
-char   *text;
-{
-    perror(text);
-    exit(1);
-}
-
-/* pipe_stdin - pipe stdin through program (from my ANSI to OLD C converter) */
-
-int     pipe_stdin(argv)
-char  **argv;
-{
-    int     pipefds[2];
-    int     pid;
-    int     i;
-    struct stat st;
-
-    /*
-     * The code that sets up the pipe requires that file descriptors 0,1,2
-     * are already open. All kinds of mysterious things will happen if that
-     * is not the case. The following loops makes sure that descriptors 0,1,2
-     * are set up properly.
-     */
-
-    for (i = 0; i < 3; i++) {
-	if (fstat(i, &st) == -1 && open("/dev/null", O_RDWR) != i)
-	    perror_exit("open /dev/null");
-    }
-
-    /*
-     * Set up the pipe that interposes the command into our standard input
-     * stream.
-     */
-
-    if (pipe(pipefds))
-	perror_exit("pipe");
-
-    switch (pid = fork()) {
-    case -1:					/* error */
-	perror_exit("fork");
-	/* NOTREACHED */
-    case 0:					/* child */
-	(void) close(pipefds[0]);		/* close reading end */
-	(void) close(1);			/* connect stdout to pipe */
-	if (dup(pipefds[1]) != 1)
-	    perror_exit("dup");
-	(void) close(pipefds[1]);		/* close redundant fd */
-	(void) execvp(argv[0], argv);
-	perror_exit(argv[0]);
-	/* NOTREACHED */
-    default:					/* parent */
-	(void) close(pipefds[1]);		/* close writing end */
-	(void) close(0);			/* connect stdin to pipe */
-	if (dup(pipefds[0]) != 0)
-	    perror_exit("dup");
-	(void) close(pipefds[0]);		/* close redundant fd */
-	return (pid);
-    }
-}
diff --git a/libexec/tcpd/tcpd/Makefile b/libexec/tcpd/tcpd/Makefile
deleted file mode 100644
index e802c7e9b92..00000000000
--- a/libexec/tcpd/tcpd/Makefile
+++ /dev/null
@@ -1,9 +0,0 @@
-#	$OpenBSD: Makefile,v 1.1 1997/02/26 06:17:04 downsj Exp $
-
-PROG=	tcpd
-MAN=	tcpd.8
-
-DPADD=	${LIBWRAP}
-LDADD=	-lwrap
-
-.include <bsd.prog.mk>
diff --git a/libexec/tcpd/tcpd/tcpd.8 b/libexec/tcpd/tcpd/tcpd.8
deleted file mode 100644
index 40f41cee595..00000000000
--- a/libexec/tcpd/tcpd/tcpd.8
+++ /dev/null
@@ -1,258 +0,0 @@
-.\"	$OpenBSD: tcpd.8,v 1.20 2012/03/06 01:25:46 dlg Exp $
-.\"
-.\" Copyright (c) 1997, Jason Downs.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS
-.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-.\" DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT,
-.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 6 2012 $
-.Dt TCPD 8
-.Os
-.Sh NAME
-.Nm tcpd
-.Nd tcp wrappers access control facility for internet services
-.Sh DESCRIPTION
-The
-.Nm
-program can be set up to monitor incoming requests for
-.Xr telnet 1 ,
-.Xr finger 1 ,
-.Xr ftp 1 ,
-.Xr rsh 1 ,
-.Xr talk 1 ,
-.Xr comsat 8 ,
-and other services that have a one-to-one mapping onto executable files.
-.Pp
-.\" The program supports both
-.\" .Bx 4.3 -style
-.\" sockets and System V.4-style
-.\" TLI.  Functionality may be limited when the protocol underneath TLI is
-.\" not an internet protocol.
-.\" .Pp
-Operation is as follows: whenever a request for service arrives, the
-.Xr inetd 8
-daemon is tricked into running the
-.Nm
-program instead of the desired server.
-.Nm
-logs the request and does some additional checks.
-When all is well,
-.Nm
-runs the appropriate server program and goes away.
-.Pp
-Optional features are: pattern-based access control, client username
-lookups with the RFC 931 etc. protocol, protection against hosts that
-pretend to have someone else's host name, and protection against hosts
-that pretend to have someone else's network address.
-.Sh LOGGING
-Connections that are monitored by
-.Nm
-are reported through the
-.Xr syslog 3
-facility.
-Each record contains a time stamp, the client host name and
-the name of the requested service.
-The information can be useful to detect unwanted activities,
-especially when logfile information from several hosts is merged.
-.Pp
-In order to find out where your logs are going, examine the syslog
-configuration file, usually
-.Pa /etc/syslog.conf .
-.Sh ACCESS CONTROL
-Optionally,
-.Nm
-supports a simple form of access control that is based on pattern matching.
-The access-control software provides hooks for the execution
-of shell commands when a pattern fires.
-For details, see the
-.Xr hosts_access 5
-manual page.
-.Sh HOST NAME VERIFICATION
-The authentication scheme of some protocols
-.Pq Xr rsh 1
-relies on host names.
-Some implementations believe the host name that they get from any random
-name server; other implementations are more careful but use a flawed algorithm.
-.Pp
-.Nm
-verifies the client host name that is returned by the address->name DNS
-server by looking at the host name and address that are returned by the
-name->address DNS server.
-If any discrepancy is detected,
-.Nm
-concludes that it is dealing with a host that pretends to have someone
-elses host name.
-.\" .Pp
-.\" If the sources are compiled with -DPARANOID,
-.\" .Nm tcpd
-.\" will drop the connection in case of a host name/address mismatch.
-.\" Otherwise, the hostname can be matched with the
-.\" .Ar PARANOID
-.\" wildcard,
-.\" after which suitable action can be taken.
-.Sh HOST ADDRESS SPOOFING
-Optionally,
-.Nm
-disables source-routing socket options on every connection that it deals with.
-This will take care of most attacks from hosts that pretend
-to have an address that belongs to someone else's network.
-UDP services do not benefit from this protection.
-This feature must be turned on at compile-time.
-.Sh RFC 931
-When RFC 931 etc. lookups are enabled (compile-time option)
-.Nm
-will attempt to establish the name of the client user.
-This will succeed only if the client host runs an RFC 931-compliant daemon.
-Client user name lookups will not work for datagram-oriented
-connections, and may cause noticeable delays in the case of connections
-from PCs.
-.Sh FILES
-The default locations of the host access control tables are:
-.Pp
-.Bl -tag -width /etc/hosts.allow -compact
-.It Pa /etc/hosts.allow
-Access control table (allow list)
-.It Pa /etc/hosts.deny
-Access control table (deny list)
-.El
-.\" .Sh EXAMPLES
-.\" The details of using
-.\" .Nm tcpd
-.\" depend on pathname information that was compiled into the program.
-.\" .Sh EXAMPLE 1
-.\" This example applies when
-.\" .Nm tcpd
-.\" expects that the original network
-.\" daemons will be moved to an "other" place.
-.\" .Pp
-.\" In order to monitor access to the
-.\" .Xr finger 1
-.\" service, move the
-.\" original finger daemon to the "other" place and install tcpd in the
-.\" place of the original finger daemon. No changes are required to
-.\" configuration files.
-.\" .Bd -unfilled -offset indent
-.\" # mkdir /other/place
-.\" # mv /usr/etc/in.fingerd /other/place
-.\" # cp tcpd /usr/etc/in.fingerd
-.\" .Ed
-.\" .Pp
-.\" The example assumes that the network daemons live in /usr/etc. On some
-.\" systems, network daemons live in /usr/sbin or in /usr/libexec, or have
-.\" no `in.\' prefix to their name.
-.\" .Sh EXAMPLE 2
-.Sh EXAMPLES
-This example applies when
-.Nm
-expects that the network daemons
-are left in their original place, as it is configured within
-.Ox .
-.Pp
-In order to monitor access to the
-.Xr finger 1
-service, perform the following edits on the
-.Xr inetd 8
-configuration file,
-.Pa /etc/inetd.conf :
-.Bd -unfilled -offset indent
-finger  stream  tcp  nowait  nobody  /usr/libexec/fingerd  fingerd
-.Ed
-.Pp
-becomes:
-.Bd -unfilled -offset indent
-finger  stream  tcp  nowait  nobody  /usr/libexec/tcpd     fingerd
-.Ed
-.\" .Pp
-.\" The example assumes that the network daemons live in /usr/etc. On some
-.\" systems, network daemons live in /usr/sbin or in /usr/libexec, the
-.\" daemons have no `in.\' prefix to their name, or there is no userid
-.\" field in the inetd configuration file.
-.Pp
-Similar changes will be needed for the other services that are to be
-covered by
-.Nm tcpd .
-Send a `kill -HUP\' to the
-.Xr inetd 8
-process to make the changes effective.
-.\" AIX users may also have to execute the `inetimp\' command.
-.\" .Sh EXAMPLE 3
-.Pp
-In the case of daemons that do not live in a common directory ("secret"
-or otherwise), edit the
-.Xr inetd 8
-configuration file so that it specifies an absolute path name for the process
-name field.
-For example:
-.Bd -unfilled
-    ntalk  dgram  udp  wait  root  /usr/libexec/tcpd  /usr/local/lib/ntalkd
-.Ed
-.Pp
-Only the last component
-.Pq Nm ntalkd
-of the pathname will be used for access control and logging.
-.Sh SEE ALSO
-.Xr hosts_access 5 ,
-.Xr inetd.conf 5 ,
-.Xr syslog.conf 5
-.Sh AUTHORS
-.Bd -unfilled -offset indent
-Wietse Venema (wietse@wzv.win.tue.nl),
-Department of Mathematics and Computing Science,
-Eindhoven University of Technology
-Den Dolech 2, P.O. Box 513,
-5600 MB Eindhoven, The Netherlands
-.Ed
-.\" @(#) tcpd.8 1.5 96/02/21 16:39:16
-.Sh BUGS
-Some UDP (and RPC) daemons linger around for a while after they have
-finished their work, in case another request comes in.
-In the inetd configuration file these services are registered with the
-.Ar wait
-option.
-Only the request that started such a daemon will be logged.
-.Pp
-.\" The program does not work with RPC services over TCP. These services
-.\" are registered as
-.\" .Ar rpc/tcp
-.\" in the inetd configuration file. The
-.\" only non-trivial service that is affected by this limitation is
-.\" .Xr rexd 8 ,
-.\" which is used by the
-.\" .Xr on 1
-.\" command. This is no great
-.\" loss.  On most systems,
-.\" .Xr rexd 8
-.\" is less secure than a wildcard in
-.\" .Pa /etc/hosts.equiv .
-.\" .Pp
-RPC broadcast requests (for example:
-.Xr rwall 1 ,
-.Xr rup 1 ,
-.Xr rusers 1 )
-always appear to come from the responding host.
-What happens is that the client broadcasts the request to all
-.Xr portmap 8
-daemons on its network; each
-.Xr portmap 8
-daemon forwards the request to a local daemon.
-As far as the
-.Xr rwalld 8
-etc. daemons know, the request comes from the local host.
diff --git a/libexec/tcpd/tcpd/tcpd.c b/libexec/tcpd/tcpd/tcpd.c
deleted file mode 100644
index 18cc19b4079..00000000000
--- a/libexec/tcpd/tcpd/tcpd.c
+++ /dev/null
@@ -1,125 +0,0 @@
-/*	$OpenBSD: tcpd.c,v 1.4 2009/10/27 23:59:31 deraadt Exp $	*/
-
- /*
-  * General front end for stream and datagram IP services. This program logs
-  * the remote host name and then invokes the real daemon. For example,
-  * install as /usr/etc/{tftpd,fingerd,telnetd,ftpd,rlogind,rshd,rexecd},
-  * after saving the real daemons in the directory specified with the
-  * REAL_DAEMON_DIR macro. This arrangement requires that the network daemons
-  * are started by inetd or something similar. Connections and diagnostics
-  * are logged through syslog(3).
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-/* System libraries. */
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <stdio.h>
-#include <syslog.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <tcpd.h>
-
-#ifndef MAXPATHNAMELEN
-#define MAXPATHNAMELEN	BUFSIZ
-#endif
-
-#ifndef STDIN_FILENO
-#define STDIN_FILENO	0
-#endif
-
-/* Local stuff. */
-
-int     allow_severity = SEVERITY;	/* run-time adjustable */
-int     deny_severity = LOG_WARNING;	/* ditto */
-
-int main(int argc, char *argv[])
-{
-    struct request_info request;
-    char    path[MAXPATHNAMELEN];
-
-    /* Attempt to prevent the creation of world-writable files. */
-
-#ifdef DAEMON_UMASK
-    umask(DAEMON_UMASK);
-#endif
-
-    /*
-     * If argv[0] is an absolute path name, ignore REAL_DAEMON_DIR, and strip
-     * argv[0] to its basename.
-     */
-
-    if (argv[0][0] == '/') {
-	strlcpy(path, argv[0], sizeof path);
-	argv[0] = strrchr(argv[0], '/') + 1;
-    } else {
-	snprintf(path, sizeof path, "%s/%s", REAL_DAEMON_DIR, argv[0]);
-    }
-
-    /*
-     * Open a channel to the syslog daemon. Older versions of openlog()
-     * require only two arguments.
-     */
-
-#ifdef LOG_MAIL
-    (void) openlog(argv[0], LOG_PID, FACILITY);
-#else
-    (void) openlog(argv[0], LOG_PID);
-#endif
-
-    /*
-     * Find out the endpoint addresses of this conversation. Host name
-     * lookups and double checks will be done on demand.
-     */
-
-    request_init(&request, RQ_DAEMON, argv[0], RQ_FILE, STDIN_FILENO, 0);
-    fromhost(&request);
-
-    /*
-     * Optionally look up and double check the remote host name. Sites
-     * concerned with security may choose to refuse connections from hosts
-     * that pretend to have someone elses host name.
-     */
-
-#ifdef PARANOID
-    if (STR_EQ(eval_hostname(request.client), paranoid))
-	refuse(&request);
-#endif
-
-    /*
-     * The BSD rlogin and rsh daemons that came out after 4.3 BSD disallow
-     * socket options at the IP level. They do so for a good reason.
-     * Unfortunately, we cannot use this with SunOS 4.1.x because the
-     * getsockopt() system call can panic the system.
-     */
-
-#ifdef KILL_IP_OPTIONS
-    fix_options(&request);
-#endif
-
-    /*
-     * Check whether this host can access the service in argv[0]. The
-     * access-control code invokes optional shell commands as specified in
-     * the access-control tables.
-     */
-
-#ifdef HOSTS_ACCESS
-    if (!hosts_access(&request))
-	refuse(&request);
-#endif
-
-    /* Report request and invoke the real daemon program. */
-
-    syslog(allow_severity, "connect from %s", eval_client(&request));
-    closelog();
-    (void) execv(path, argv);
-    syslog(LOG_ERR, "error: cannot execute %s: %m", path);
-    clean_exit(&request);
-    /* NOTREACHED */
-}
diff --git a/libexec/tcpd/tcpdchk/Makefile b/libexec/tcpd/tcpdchk/Makefile
deleted file mode 100644
index 4a24a0f8962..00000000000
--- a/libexec/tcpd/tcpdchk/Makefile
+++ /dev/null
@@ -1,13 +0,0 @@
-#	$OpenBSD: Makefile,v 1.1 1997/02/26 06:17:06 downsj Exp $
-
-PROG=	tcpdchk
-MAN=	tcpdchk.8
-
-SRCS=	inetcf.c scaffold.c tcpdchk.c
-
-DPADD=	${LIBWRAP}
-LDADD=	-lwrap
-
-BINDIR=	/usr/sbin
-
-.include <bsd.prog.mk>
diff --git a/libexec/tcpd/tcpdchk/inetcf.c b/libexec/tcpd/tcpdchk/inetcf.c
deleted file mode 100644
index 96f1b460b78..00000000000
--- a/libexec/tcpd/tcpdchk/inetcf.c
+++ /dev/null
@@ -1,315 +0,0 @@
-/*	$OpenBSD: inetcf.c,v 1.5 2009/10/27 23:59:32 deraadt Exp $	*/
-
- /*
-  * Routines to parse an inetd.conf or tlid.conf file. This would be a great
-  * job for a PERL script.
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <stdio.h>
-#include <errno.h>
-#include <string.h>
-#include <stdlib.h>
-
-#include <tcpd.h>
-
-#include "inetcf.h"
-#include "scaffold.h"
-
- /*
-  * Network configuration files may live in unusual places. Here are some
-  * guesses. Shorter names follow longer ones.
-  */
-char   *inet_files[] = {
-    "/private/etc/inetd.conf",		/* NEXT */
-    "/etc/inet/inetd.conf",		/* SYSV4 */
-    "/usr/etc/inetd.conf",		/* IRIX?? */
-    "/etc/inetd.conf",			/* BSD */
-    "/etc/net/tlid.conf",		/* SYSV4?? */
-    "/etc/saf/tlid.conf",		/* SYSV4?? */
-    "/etc/tlid.conf",			/* SYSV4?? */
-    0,
-};
-
-static void inet_chk(char *, char *, char *, char *);
-static char *base_name(char *);
-
- /*
-  * Structure with everything we know about a service.
-  */
-struct inet_ent {
-    struct inet_ent *next;
-    int     type;
-    char    name[1];
-};
-
-static struct inet_ent *inet_list = 0;
-
-static char whitespace[] = " \t\r\n";
-
-/* inet_conf - read in and examine inetd.conf (or tlid.conf) entries */
-
-char   *inet_cfg(conf)
-char   *conf;
-{
-    char    buf[BUFSIZ];
-    FILE   *fp = (FILE *)NULL;
-    char   *service;
-    char   *protocol;
-    char   *user;
-    char   *path;
-    char   *arg0;
-    char   *arg1;
-    struct tcpd_context saved_context;
-    int     i;
-    struct stat st;
-
-    saved_context = tcpd_context;
-
-    /*
-     * The inetd.conf (or tlid.conf) information is so useful that we insist
-     * on its availability. When no file is given run a series of educated
-     * guesses.
-     */
-    if (conf != 0) {
-	if ((fp = fopen(conf, "r")) == (FILE *)NULL) {
-	    fprintf(stderr, percent_m(buf, "open %s: %m\n"), conf);
-	    exit(1);
-	}
-    } else {
-	for (i = 0; inet_files[i] && (fp = fopen(inet_files[i], "r")) == 0; i++)
-	     /* void */ ;
-	if (fp == (FILE *)NULL) {
-	    fprintf(stderr, "Cannot find your inetd.conf or tlid.conf file.\n");
-	    fprintf(stderr, "Please specify its location.\n");
-	    exit(1);
-	}
-	conf = inet_files[i];
-	check_path(conf, &st);
-    }
-
-    /*
-     * Process the file. After the 7.0 wrapper release it became clear that
-     * there are many more inetd.conf formats than the 8 systems that I had
-     * studied. EP/IX uses a two-line specification for rpc services; HP-UX
-     * permits long lines to be broken with backslash-newline.
-     */
-    tcpd_context.file = conf;
-    tcpd_context.line = 0;
-    while (xgets(buf, sizeof(buf), fp)) {
-	service = strtok(buf, whitespace);	/* service */
-	if (service == 0 || *service == '#')
-	    continue;
-	if (STR_NE(service, "stream") && STR_NE(service, "dgram"))
-	    strtok((char *) 0, whitespace);	/* endpoint */
-	protocol = strtok((char *) 0, whitespace);
-	(void) strtok((char *) 0, whitespace);	/* wait */
-	if ((user = strtok((char *) 0, whitespace)) == 0)
-	    continue;
-	if (user[0] == '/') {			/* user */
-	    path = user;
-	} else {				/* path */
-	    if ((path = strtok((char *) 0, whitespace)) == 0)
-		continue;
-	}
-	if (path[0] == '?')			/* IRIX optional service */
-	    path++;
-	if (STR_EQ(path, "internal"))
-	    continue;
-	if (path[strspn(path, "-0123456789")] == 0) {
-
-	    /*
-	     * ConvexOS puts RPC version numbers before path names. Jukka
-	     * Ukkonen <ukkonen@csc.fi>.
-	     */
-	    if ((path = strtok((char *) 0, whitespace)) == 0)
-		continue;
-	}
-	if ((arg0 = strtok((char *) 0, whitespace)) == 0) {
-	    tcpd_warn("incomplete line");
-	    continue;
-	}
-	if (arg0[strspn(arg0, "0123456789")] == 0) {
-
-	    /*
-	     * We're reading a tlid.conf file, the format is:
-	     * 
-	     * ...stuff... path arg_count arguments mod_count modules
-	     */
-	    if ((arg0 = strtok((char *) 0, whitespace)) == 0) {
-		tcpd_warn("incomplete line");
-		continue;
-	    }
-	}
-	if ((arg1 = strtok((char *) 0, whitespace)) == 0)
-	    arg1 = "";
-
-	inet_chk(protocol, path, arg0, arg1);
-    }
-    fclose(fp);
-    tcpd_context = saved_context;
-    return (conf);
-}
-
-/* inet_chk - examine one inetd.conf (tlid.conf?) entry */
-
-static void inet_chk(protocol, path, arg0, arg1)
-char   *protocol;
-char   *path;
-char   *arg0;
-char   *arg1;
-{
-    char    daemon[BUFSIZ];
-    struct stat st;
-    int     wrap_status = WR_MAYBE;
-    char   *base_name_path = base_name(path);
-    char   *tcpd_proc_name = (arg0[0] == '/' ? base_name(arg0) : arg0);
-
-    /*
-     * Always warn when the executable does not exist or when it is not
-     * executable.
-     */
-    if (check_path(path, &st) < 0) {
-	tcpd_warn("%s: not found: %m", path);
-    } else if ((st.st_mode & 0100) == 0) {
-	tcpd_warn("%s: not executable", path);
-    }
-
-    /*
-     * Cheat on the miscd tests, nobody uses it anymore.
-     */
-    if (STR_EQ(base_name_path, "miscd")) {
-	inet_set(arg0, WR_YES);
-	return;
-    }
-
-    /*
-     * While we are here...
-     */
-    if (STR_EQ(tcpd_proc_name, "rexd") || STR_EQ(tcpd_proc_name, "rpc.rexd"))
-	tcpd_warn("%s may be an insecure service", tcpd_proc_name);
-
-    /*
-     * The tcpd program gets most of the attention.
-     */
-    if (STR_EQ(base_name_path, "tcpd")) {
-
-	if (STR_EQ(tcpd_proc_name, "tcpd"))
-	    tcpd_warn("%s is recursively calling itself", tcpd_proc_name);
-
-	wrap_status = WR_YES;
-
-	/*
-	 * Check: some sites install the wrapper set-uid.
-	 */
-	if ((st.st_mode & 06000) != 0)
-	    tcpd_warn("%s: file is set-uid or set-gid", path);
-
-	/*
-	 * Check: some sites insert tcpd in inetd.conf, instead of replacing
-	 * the daemon pathname.
-	 */
-	if (arg0[0] == '/' && STR_EQ(tcpd_proc_name, base_name(arg1)))
-	    tcpd_warn("%s inserted before %s", path, arg0);
-
-	/*
-	 * Check: make sure files exist and are executable. On some systems
-	 * the network daemons are set-uid so we cannot complain. Note that
-	 * tcpd takes the basename only in case of absolute pathnames.
-	 */
-	if (arg0[0] == '/') {			/* absolute path */
-	    if (check_path(arg0, &st) < 0) {
-		tcpd_warn("%s: not found: %m", arg0);
-	    } else if ((st.st_mode & 0100) == 0) {
-		tcpd_warn("%s: not executable", arg0);
-	    }
-	} else {				/* look in REAL_DAEMON_DIR */
-	    snprintf(daemon, sizeof daemon, "%s/%s", REAL_DAEMON_DIR, arg0);
-	    if (check_path(daemon, &st) < 0) {
-		tcpd_warn("%s: not found in %s: %m",
-			  arg0, REAL_DAEMON_DIR);
-	    } else if ((st.st_mode & 0100) == 0) {
-		tcpd_warn("%s: not executable", daemon);
-	    }
-	}
-
-    } else {
-
-	/*
-	 * No tcpd program found. Perhaps they used the "simple installation"
-	 * recipe. Look for a file with the same basename in REAL_DAEMON_DIR.
-	 * Draw some conservative conclusions when a distinct file is found.
-	 */
-	snprintf(daemon, sizeof daemon, "%s/%s", REAL_DAEMON_DIR, arg0);
-	if (STR_EQ(path, daemon)) {
-	    wrap_status = WR_NOT;
-	} else if (check_path(daemon, &st) >= 0) {
-	    wrap_status = WR_MAYBE;
-	} else if (errno == ENOENT) {
-	    wrap_status = WR_NOT;
-	} else {
-	    tcpd_warn("%s: file lookup: %m", daemon);
-	    wrap_status = WR_MAYBE;
-	}
-    }
-
-    /*
-     * Alas, we cannot wrap rpc/tcp services.
-     */
-    if (wrap_status == WR_YES && STR_EQ(protocol, "rpc/tcp"))
-	tcpd_warn("%s: cannot wrap rpc/tcp services", tcpd_proc_name);
-
-    inet_set(tcpd_proc_name, wrap_status);
-}
-
-/* inet_set - remember service status */
-
-void    inet_set(name, type)
-char   *name;
-int     type;
-{
-    int len = strlen(name);	/* NUL is inside the struct */
-    struct inet_ent *ip =
-    (struct inet_ent *) malloc(sizeof(struct inet_ent) + len);
-
-    if (ip == 0) {
-	fprintf(stderr, "out of memory\n");
-	exit(1);
-    }
-    ip->next = inet_list;
-    strlcpy(ip->name, name, len);
-    ip->type = type;
-    inet_list = ip;
-}
-
-/* inet_get - look up service status */
-
-int     inet_get(name)
-char   *name;
-{
-    struct inet_ent *ip;
-
-    if (inet_list == 0)
-	return (WR_MAYBE);
-
-    for (ip = inet_list; ip; ip = ip->next)
-	if (STR_EQ(ip->name, name))
-	    return (ip->type);
-
-    return (-1);
-}
-
-/* base_name - compute last pathname component */
-
-static char *base_name(path)
-char   *path;
-{
-    char   *cp;
-
-    if ((cp = strrchr(path, '/')) != 0)
-	path = cp + 1;
-    return (path);
-}
diff --git a/libexec/tcpd/tcpdchk/inetcf.h b/libexec/tcpd/tcpdchk/inetcf.h
deleted file mode 100644
index b852efc7b2d..00000000000
--- a/libexec/tcpd/tcpdchk/inetcf.h
+++ /dev/null
@@ -1,16 +0,0 @@
-/*	$OpenBSD: inetcf.h,v 1.3 2012/12/05 23:20:07 deraadt Exp $	*/
-
- /*
-  * @(#) inetcf.h 1.1 94/12/28 17:42:30
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-extern char *inet_cfg(char *);
-extern void inet_set(char *, int);
-extern int inet_get(char *);
-
-#define WR_UNKNOWN	(-1)		/* service unknown */
-#define WR_NOT		1		/* may not be wrapped */
-#define WR_MAYBE	2		/* may be wrapped */
-#define	WR_YES		3		/* service is wrapped */
diff --git a/libexec/tcpd/tcpdchk/scaffold.c b/libexec/tcpd/tcpdchk/scaffold.c
deleted file mode 100644
index ac8b05ba5e6..00000000000
--- a/libexec/tcpd/tcpdchk/scaffold.c
+++ /dev/null
@@ -1,158 +0,0 @@
-/*	$OpenBSD: scaffold.c,v 1.8 2009/10/27 23:59:32 deraadt Exp $	*/
-
- /*
-  * Routines for testing only. Not really industrial strength.
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-/* System libraries. */
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netdb.h>
-#include <stdio.h>
-#include <syslog.h>
-#include <setjmp.h>
-#include <string.h>
-#include <stdlib.h>
-
-#include <tcpd.h>
-
-#ifndef INADDR_NONE
-#define	INADDR_NONE	(-1)		/* XXX should be 0xffffffff */
-#endif
-
-/* Application-specific. */
-
-#include "scaffold.h"
-
- /*
-  * These are referenced by the options module and by rfc931.c.
-  */
-int     allow_severity = SEVERITY;
-int     deny_severity = LOG_WARNING;
-int	rfc931_timeout = RFC931_TIMEOUT;
-
-/* find_inet_addr - find all addresses for this host, result to free() */
-
-struct addrinfo *find_inet_addr(host, flags)
-char   *host;
-int	flags;
-{
-    struct addrinfo hints, *res;
-    int error;
-
-    memset(&hints, 0, sizeof(hints));
-    hints.ai_socktype = SOCK_DGRAM;
-    hints.ai_flags = AI_CANONNAME | flags;
-    error = getaddrinfo(host, "0", &hints, &res);
-    if (error) {
-	tcpd_warn("%s: %s", host, gai_strerror(error));
-	return (0);
-    }
-
-    if (res->ai_canonname && STR_NE(host, res->ai_canonname)) {
-	tcpd_warn("%s: hostname alias", host);
-	tcpd_warn("(official name: %.*s)", STRING_LENGTH, res->ai_canonname);
-    }
-    return (res);
-}
-
-/* check_dns - give each address thorough workout, return address count */
-
-int     check_dns(host)
-char   *host;
-{
-    struct request_info request;
-    struct sockaddr_storage ss;
-    struct addrinfo *res0, *res;
-    int     count;
-
-    if ((res0 = find_inet_addr(host, 0)) == NULL)
-	return (0);
-    memset(&ss, 0, sizeof(ss));
-    request_init(&request, RQ_CLIENT_SIN, &ss, 0);
-    sock_methods(&request);
-
-    count = 0;
-    for (res = res0; res; res = res->ai_next) {
-	count++;
-	if (res->ai_addrlen > sizeof(ss))
-	    continue;
-	memcpy(&ss, res->ai_addr, res->ai_addrlen);
-
-	/*
-	 * Force host name and address conversions. Use the request structure
-	 * as a cache. Detect hostname lookup problems. Any name/name or
-	 * name/address conflicts will be reported while eval_hostname() does
-	 * its job.
-	 */
-	request_set(&request, RQ_CLIENT_ADDR, "", RQ_CLIENT_NAME, "", 0);
-	if (STR_EQ(eval_hostname(request.client), unknown))
-	    tcpd_warn("host address %s->name lookup failed",
-		      eval_hostaddr(request.client));
-	    tcpd_warn("%s %s", eval_hostname(request.client), unknown);
-    }
-    freeaddrinfo(res0);
-    return (count);
-}
-
-/* dummy function to intercept the real shell_cmd() */
-
-/* ARGSUSED */
-
-void    shell_cmd(command)
-char   *command;
-{
-    if (hosts_access_verbose)
-	printf("command: %s", command);
-}
-
-/* dummy function  to intercept the real clean_exit() */
-
-/* ARGSUSED */
-
-void    clean_exit(request)
-struct request_info *request;
-{
-    exit(0);
-}
-
-/* dummy function  to intercept the real rfc931() */
-
-/* ARGSUSED */
-void    rfc931(a1, a2, d1)
-struct sockaddr *a1, *a2;
-char *d1;
-{
-}
-
-/* check_path - examine accessibility */
-
-int     check_path(path, st)
-char   *path;
-struct stat *st;
-{
-    struct stat stbuf;
-    char    buf[BUFSIZ];
-
-    if (stat(path, st) < 0)
-	return (-1);
-#ifdef notdef
-    if (st->st_uid != 0)
-	tcpd_warn("%s: not owned by root", path);
-    if (st->st_mode & 020)
-	tcpd_warn("%s: group writable", path);
-#endif
-    if (st->st_mode & 002)
-	tcpd_warn("%s: world writable", path);
-    if (path[0] == '/' && path[1] != 0) {
-	strrchr((strlcpy(buf, path, sizeof buf), buf), '/')[0] = 0;
-	(void) check_path(buf[0] ? buf : "/", &stbuf);
-    }
-    return (0);
-}
diff --git a/libexec/tcpd/tcpdchk/scaffold.h b/libexec/tcpd/tcpdchk/scaffold.h
deleted file mode 100644
index 7bb69bc18a2..00000000000
--- a/libexec/tcpd/tcpdchk/scaffold.h
+++ /dev/null
@@ -1,15 +0,0 @@
-/*	$OpenBSD: scaffold.h,v 1.3 2002/06/07 03:32:04 itojun Exp $	*/
-
- /*
-  * @(#) scaffold.h 1.3 94/12/31 18:19:19
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-#include <sys/cdefs.h>
-
-__BEGIN_DECLS
-extern struct addrinfo *find_inet_addr(char *, int);
-extern int check_dns(char *);
-extern int check_path(char *, struct stat *);
-__END_DECLS
diff --git a/libexec/tcpd/tcpdchk/tcpdchk.8 b/libexec/tcpd/tcpdchk/tcpdchk.8
deleted file mode 100644
index dedf5cd398f..00000000000
--- a/libexec/tcpd/tcpdchk/tcpdchk.8
+++ /dev/null
@@ -1,113 +0,0 @@
-.\"	$OpenBSD: tcpdchk.8,v 1.13 2008/05/17 23:31:52 sobrado Exp $
-.\"
-.\" Copyright (c) 1997, Jason Downs.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS
-.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-.\" DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT,
-.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 17 2008 $
-.Dt TCPDCHK 8
-.Os
-.Sh NAME
-.Nm tcpdchk
-.Nd tcp wrapper configuration checker
-.Sh SYNOPSIS
-.Nm tcpdchk
-.Op Fl adv
-.Op Fl i Ar inet_conf
-.Sh DESCRIPTION
-.Nm
-examines your tcp wrapper configuration and reports all
-potential and real problems it can find.
-The program examines the
-.Xr tcpd 8
-access control files (by default, these are
-.Pa /etc/hosts.allow
-and
-.Pa /etc/hosts.deny ) ,
-and compares the
-entries in these files against entries in the
-.Xr inetd 8
-network configuration file.
-.Pp
-.Nm
-reports problems such as non-existent pathnames; services
-that appear in
-.Xr tcpd 8
-access control rules, but are not controlled by
-.Xr tcpd 8 ;
-services that should not be wrapped; non-existent host
-names or non-internet address forms; occurrences of host aliases
-instead of official host names; hosts with a name/address conflict;
-inappropriate use of wildcard patterns; inappropriate use of NIS
-netgroups or references to non-existent NIS netgroups; references to
-non-existent options; invalid arguments to options; and so on.
-.Pp
-Where possible,
-.Nm
-provides a helpful suggestion to fix the problem.
-.Pp
-The options are as follows:
-.Bl -tag -width Ds
-.It Fl a
-Report access control rules that permit access without an explicit
-ALLOW keyword.
-.\" This applies only when the extended access control
-.\" language is enabled (build with -DPROCESS_OPTIONS).
-.It Fl d
-Examine
-.Pa hosts.allow
-and
-.Pa hosts.deny
-files in the current directory instead of the default ones.
-.It Fl i Ar inet_conf
-Specify this option when
-.Nm
-is unable to find your
-.Pa inetd.conf
-network configuration file, or when you wish to test with a non-default one.
-.It Fl v
-Display the contents of each access control rule.
-Daemon lists, client lists, shell commands and options are shown in a
-pretty-printed format; this makes it easier for you to spot any
-discrepancies between what you want and what the program understands.
-.El
-.Sh FILES
-.Bl -tag -width /etc/hosts.allow -compact
-.It Pa /etc/hosts.allow
-access control table (allow list)
-.It Pa /etc/hosts.deny
-access control table (deny list)
-.El
-.Sh SEE ALSO
-.Xr hosts_access 5 ,
-.Xr hosts_options 5 ,
-.Xr inetd.conf 5 ,
-.Xr tcpdmatch 8
-.Sh AUTHORS
-.Bd -unfilled -offset indent
-Wietse Venema (wietse@wzv.win.tue.nl),
-Department of Mathematics and Computing Science,
-Eindhoven University of Technology
-Den Dolech 2, P.O. Box 513,
-5600 MB Eindhoven, The Netherlands
-.Ed
-.\" @(#) tcpdchk.8 1.3 95/01/08 17:00:30
diff --git a/libexec/tcpd/tcpdchk/tcpdchk.c b/libexec/tcpd/tcpdchk/tcpdchk.c
deleted file mode 100644
index 20213a83465..00000000000
--- a/libexec/tcpd/tcpdchk/tcpdchk.c
+++ /dev/null
@@ -1,507 +0,0 @@
-/*	$OpenBSD: tcpdchk.c,v 1.11 2009/10/27 23:59:32 deraadt Exp $	*/
-
- /*
-  * tcpdchk - examine all tcpd access control rules and inetd.conf entries
-  * 
-  * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v]
-  * 
-  * -a: complain about implicit "allow" at end of rule.
-  * 
-  * -d: rules in current directory.
-  * 
-  * -i: location of inetd.conf file.
-  * 
-  * -v: show all rules.
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-/* System libraries. */
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <setjmp.h>
-#include <errno.h>
-#include <netdb.h>
-#include <string.h>
-#include <unistd.h>
-#ifdef NETGROUP
-#include <netgroup.h>
-#endif
-
-#include <tcpd.h>
-
-#ifndef INADDR_NONE
-#define INADDR_NONE     (-1)		/* XXX should be 0xffffffff */
-#endif
-
-#ifndef S_ISDIR
-#define S_ISDIR(m)	(((m) & S_IFMT) == S_IFDIR)
-#endif
-
-/* Application-specific. */
-
-#include "inetcf.h"
-#include "scaffold.h"
-
- /*
-  * Stolen from hosts_access.c...
-  */
-static char sep[] = ", \t\n";
-
-#define	BUFLEN 2048
-
-int     resident = 0;
-int     hosts_access_verbose = 0;
-char   *hosts_allow_table = HOSTS_ALLOW;
-char   *hosts_deny_table = HOSTS_DENY;
-extern jmp_buf tcpd_buf;
-
- /*
-  * Local stuff.
-  */
-static void usage(void);
-static void parse_table(char *, struct request_info *);
-static void print_list(char *, char *);
-static void check_daemon_list(char *);
-static void check_client_list(char *);
-static void check_daemon(char *);
-static void check_user(char *);
-#ifdef INET6
-static int check_inet_addr(char *);
-#endif
-static int check_host(char *);
-static int reserved_name(char *);
-
-#define PERMIT	1
-#define DENY	0
-
-#define YES	1
-#define	NO	0
-
-static int defl_verdict;
-static char *myname;
-static int allow_check;
-static char *inetcf;
-
-int     main(int argc, char *argv[])
-{
-    struct request_info request;
-    struct stat st;
-    int     c;
-
-    myname = argv[0];
-
-    /*
-     * Parse the JCL.
-     */
-    while ((c = getopt(argc, argv, "adi:v")) != -1) {
-	switch (c) {
-	case 'a':
-	    allow_check = 1;
-	    break;
-	case 'd':
-	    hosts_allow_table = "hosts.allow";
-	    hosts_deny_table = "hosts.deny";
-	    break;
-	case 'i':
-	    inetcf = optarg;
-	    break;
-	case 'v':
-	    hosts_access_verbose++;
-	    break;
-	default:
-	    usage();
-	    /* NOTREACHED */
-	}
-    }
-    if (argc != optind)
-	usage();
-
-    /*
-     * When confusion really strikes...
-     */
-    if (check_path(REAL_DAEMON_DIR, &st) < 0) {
-	tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
-    } else if (!S_ISDIR(st.st_mode)) {
-	tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
-    }
-
-    /*
-     * Process the inet configuration file (or its moral equivalent). This
-     * information is used later to find references in hosts.allow/deny to
-     * unwrapped services, and other possible problems.
-     */
-    inetcf = inet_cfg(inetcf);
-    if (hosts_access_verbose)
-	printf("Using network configuration file: %s\n", inetcf);
-
-    /*
-     * These are not run from inetd but may have built-in access control.
-     */
-    inet_set("portmap", WR_NOT);
-    inet_set("rpcbind", WR_NOT);
-
-    /*
-     * Check accessibility of access control files.
-     */
-    (void) check_path(hosts_allow_table, &st);
-    (void) check_path(hosts_deny_table, &st);
-
-    /*
-     * Fake up an arbitrary service request.
-     */
-    request_init(&request,
-		 RQ_DAEMON, "daemon_name",
-		 RQ_SERVER_NAME, "server_hostname",
-		 RQ_SERVER_ADDR, "server_addr",
-		 RQ_USER, "user_name",
-		 RQ_CLIENT_NAME, "client_hostname",
-		 RQ_CLIENT_ADDR, "client_addr",
-		 RQ_FILE, 1,
-		 0);
-
-    /*
-     * Examine all access-control rules.
-     */
-    defl_verdict = PERMIT;
-    parse_table(hosts_allow_table, &request);
-    defl_verdict = DENY;
-    parse_table(hosts_deny_table, &request);
-    return (0);
-}
-
-/* usage - explain */
-
-static void usage()
-{
-    fprintf(stderr, "usage: %s [-adv] [-i inet_conf]\n", myname);
-    fprintf(stderr, "	-a: report rules with implicit \"ALLOW\" at end\n");
-    fprintf(stderr, "	-d: use allow/deny files in current directory\n");
-    fprintf(stderr, "	-i: location of inetd.conf file\n");
-    fprintf(stderr, "	-v: list all rules\n");
-    exit(1);
-}
-
-/* parse_table - like table_match(), but examines _all_ entries */
-
-static void parse_table(table, request)
-char   *table;
-struct request_info *request;
-{
-    FILE   *fp;
-    int     real_verdict;
-    char    sv_list[BUFLEN];		/* becomes list of daemons */
-    char   *cl_list;			/* becomes list of requests */
-    char   *sh_cmd;			/* becomes optional shell command */
-#ifndef PROCESS_OPTIONS
-    char    buf[BUFSIZ];
-#endif
-    int     verdict;
-    struct tcpd_context saved_context;
-
-    saved_context = tcpd_context;		/* stupid compilers */
-
-    if ((fp = fopen(table, "r")) != (FILE *)NULL) {
-	tcpd_context.file = table;
-	tcpd_context.line = 0;
-	while (xgets(sv_list, sizeof(sv_list), fp)) {
-	    if (sv_list[strlen(sv_list) - 1] != '\n') {
-		tcpd_warn("missing newline or line too long");
-		continue;
-	    }
-	    if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
-		continue;
-	    if ((cl_list = split_at(sv_list, ':')) == 0) {
-		tcpd_warn("missing \":\" separator");
-		continue;
-	    }
-	    sh_cmd = split_at(cl_list, ':');
-
-	    if (hosts_access_verbose)
-		printf("\n>>> Rule %s line %d:\n",
-		       tcpd_context.file, tcpd_context.line);
-
-	    if (hosts_access_verbose)
-		print_list("daemons:  ", sv_list);
-	    check_daemon_list(sv_list);
-
-	    if (hosts_access_verbose)
-		print_list("clients:  ", cl_list);
-	    check_client_list(cl_list);
-
-#ifdef PROCESS_OPTIONS
-	    real_verdict = defl_verdict;
-	    if (sh_cmd) {
-		verdict = setjmp(tcpd_buf);
-		if (verdict != 0) {
-		    real_verdict = (verdict == AC_PERMIT);
-		} else {
-		    dry_run = 1;
-		    process_options(sh_cmd, request);
-		    if (dry_run == 1 && real_verdict && allow_check)
-			tcpd_warn("implicit \"allow\" at end of rule");
-		}
-	    } else if (defl_verdict && allow_check) {
-		tcpd_warn("implicit \"allow\" at end of rule");
-	    }
-	    if (hosts_access_verbose)
-		printf("access:   %s\n", real_verdict ? "granted" : "denied");
-#else
-	    if (sh_cmd)
-		shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request));
-	    if (hosts_access_verbose)
-		printf("access:   %s\n", defl_verdict ? "granted" : "denied");
-#endif
-	}
-	(void) fclose(fp);
-    } else if (errno != ENOENT) {
-	tcpd_warn("cannot open %s: %m", table);
-    }
-    tcpd_context = saved_context;
-}
-
-/* print_list - pretty-print a list */
-
-static void print_list(title, list)
-char   *title;
-char   *list;
-{
-    char    buf[BUFLEN];
-    char   *cp;
-    char   *next;
-
-    fputs(title, stdout);
-    strlcpy(buf, list, sizeof buf);
-
-    for (cp = strtok(buf, sep); cp != 0; cp = next) {
-	fputs(cp, stdout);
-	next = strtok((char *) 0, sep);
-	if (next != 0)
-	    fputs(" ", stdout);
-    }
-    fputs("\n", stdout);
-}
-
-/* check_daemon_list - criticize daemon list */
-
-static void check_daemon_list(list)
-char   *list;
-{
-    char    buf[BUFLEN];
-    char   *cp;
-    char   *host;
-    int     daemons = 0;
-
-    strlcpy(buf, list, sizeof buf);
-
-    for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
-	if (STR_EQ(cp, "EXCEPT")) {
-	    daemons = 0;
-	} else {
-	    daemons++;
-	    if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) {
-		tcpd_warn("host %s has more than one address", host);
-		tcpd_warn("(consider using an address instead)");
-	    }
-	    check_daemon(cp);
-	}
-    }
-    if (daemons == 0)
-	tcpd_warn("daemon list is empty or ends in EXCEPT");
-}
-
-/* check_client_list - criticize client list */
-
-static void check_client_list(list)
-char   *list;
-{
-    char    buf[BUFLEN];
-    char   *cp;
-    char   *host;
-    int     clients = 0;
-#ifdef INET6
-    int l;
-#endif
-
-    strlcpy(buf, list, sizeof buf);
-
-    for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
-#ifdef INET6
-	l = strlen(cp);
-	if (cp[0] == '[' && cp[l - 1] == ']') {
-	    cp[l - 1] = '\0';
-	    cp++;
-	}
-#endif
-	if (STR_EQ(cp, "EXCEPT")) {
-	    clients = 0;
-	} else {
-	    clients++;
-	    if ((host = split_at(cp + 1, '@')) != NULL) {	/* user@host */
-		check_user(cp);
-		check_host(host);
-	    } else {
-		check_host(cp);
-	    }
-	}
-    }
-    if (clients == 0)
-	tcpd_warn("client list is empty or ends in EXCEPT");
-}
-
-/* check_daemon - criticize daemon pattern */
-
-static void check_daemon(pat)
-char   *pat;
-{
-    if (pat[0] == '@') {
-	tcpd_warn("%s: daemon name begins with \"@\"", pat);
-    } else if (pat[0] == '.') {
-	tcpd_warn("%s: daemon name begins with dot", pat);
-    } else if (pat[0] == '\0') {
-	tcpd_warn("%s: daemon name begins with NUL", pat);
-    } else if (pat[strlen(pat) - 1] == '.') {
-	tcpd_warn("%s: daemon name ends in dot", pat);
-    } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) {
-	 /* void */ ;
-    } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
-	tcpd_warn("FAIL is no longer recognized");
-	tcpd_warn("(use EXCEPT or DENY instead)");
-    } else if (reserved_name(pat)) {
-	tcpd_warn("%s: daemon name may be reserved word", pat);
-    } else {
-	switch (inet_get(pat)) {
-	case WR_UNKNOWN:
-	    tcpd_warn("%s: no such process name in %s", pat, inetcf);
-	    inet_set(pat, WR_YES);		/* shut up next time */
-	    break;
-	case WR_NOT:
-	    tcpd_warn("%s: service possibly not wrapped", pat);
-	    inet_set(pat, WR_YES);
-	    break;
-	}
-    }
-}
-
-/* check_user - criticize user pattern */
-
-static void check_user(pat)
-char   *pat;
-{
-    if (pat[0] == '@') {			/* @netgroup */
-	tcpd_warn("%s: user name begins with \"@\"", pat);
-    } else if (pat[0] == '.') {
-	tcpd_warn("%s: user name begins with dot", pat);
-    } else if (pat[0] == '\0') {
-	tcpd_warn("%s: user name begins with NUL", pat);
-    } else if (pat[strlen(pat) - 1] == '.') {
-	tcpd_warn("%s: user name ends in dot", pat);
-    } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)
-	       || STR_EQ(pat, "KNOWN")) {
-	 /* void */ ;
-    } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
-	tcpd_warn("FAIL is no longer recognized");
-	tcpd_warn("(use EXCEPT or DENY instead)");
-    } else if (reserved_name(pat)) {
-	tcpd_warn("%s: user name may be reserved word", pat);
-    }
-}
-
-#ifdef INET6
-static int check_inet_addr(pat)
-char	*pat;
-{
-	struct addrinfo *res;
-
-	res = find_inet_addr(pat, AI_NUMERICHOST);
-	if (res) {
-		freeaddrinfo(res);
-		return 1;
-	} else
-		return 0;
-}
-#endif
-
-/* check_host - criticize host pattern */
-static int check_host(pat)
-char   *pat;
-{
-    char   *mask;
-    int     addr_count = 1;
-
-    if (pat[0] == '@') {			/* @netgroup */
-#ifdef NO_NETGRENT
-	/* SCO has no *netgrent() support */
-#else
-#ifdef NETGROUP
-	const char   *machinep;
-	const char   *userp;
-	const char   *domainp;
-
-	setnetgrent(pat + 1);
-	if (getnetgrent(&machinep, &userp, &domainp) == 0)
-	    tcpd_warn("%s: unknown or empty netgroup", pat + 1);
-	endnetgrent();
-#else
-	tcpd_warn("netgroup support disabled");
-#endif
-#endif
-    } else if ((mask = split_at(pat, '/')) != NULL) {	/* network/netmask */
-#ifdef INET6
-	char *ep;
-#endif
-	if (dot_quad_addr_new(pat, NULL) && dot_quad_addr_new(mask, NULL))
-	    ; /*okay*/
-#ifdef INET6
-	else if (check_inet_addr(pat) && check_inet_addr(mask))
-	    ; /*okay*/
-	else if (check_inet_addr(pat) &&
-	    (ep = NULL, strtoul(mask, &ep, 10), ep && !*ep))
-	    ; /*okay*/
-#endif
-	else
-	    tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
-    } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
-	tcpd_warn("FAIL is no longer recognized");
-	tcpd_warn("(use EXCEPT or DENY instead)");
-    } else if (reserved_name(pat)) {		/* other reserved */
-	 /* void */ ;
-    } else if (NOT_INADDR(pat)) {		/* internet name */
-	if (pat[0] == '\0') {
-	    tcpd_warn("%s: domain or host name begins with NUL", pat);
-	} else if (pat[strlen(pat) - 1] == '.') {
-	    tcpd_warn("%s: domain or host name ends in dot", pat);
-	} else if (pat[0] != '.') {
-	    addr_count = check_dns(pat);
-	}
-    } else {					/* numeric form */
-	if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) {
-	    /* void */ ;
-	} else if (pat[0] == '.') {
-	    tcpd_warn("%s: network number begins with dot", pat);
-	} else if (pat[0] == '\0') {
-	    tcpd_warn("%s: network number begins with NUL", pat);
-	} else if (pat[strlen(pat) - 1] != '.') {
-	    check_dns(pat);
-	}
-    }
-    return (addr_count);
-}
-
-/* reserved_name - determine if name is reserved */
-
-static int reserved_name(pat)
-char   *pat;
-{
-    return (STR_EQ(pat, unknown)
-	    || STR_EQ(pat, "KNOWN")
-	    || STR_EQ(pat, paranoid)
-	    || STR_EQ(pat, "ALL")
-	    || STR_EQ(pat, "LOCAL"));
-}
diff --git a/libexec/tcpd/tcpdmatch/Makefile b/libexec/tcpd/tcpdmatch/Makefile
deleted file mode 100644
index f601a980d2b..00000000000
--- a/libexec/tcpd/tcpdmatch/Makefile
+++ /dev/null
@@ -1,16 +0,0 @@
-#	$OpenBSD: Makefile,v 1.1 1997/02/26 06:17:10 downsj Exp $
-
-.PATH:	${.CURDIR}/../tcpdchk
-CFLAGS+=-I${.CURDIR}/../tcpdchk
-
-PROG=	tcpdmatch
-MAN=	tcpdmatch.8
-
-SRCS=	inetcf.c scaffold.c tcpdmatch.c
-
-DPADD=	${LIBWRAP}
-LDADD=	-lwrap
-
-BINDIR=	/usr/sbin
-
-.include <bsd.prog.mk>
diff --git a/libexec/tcpd/tcpdmatch/tcpdmatch.8 b/libexec/tcpd/tcpdmatch/tcpdmatch.8
deleted file mode 100644
index a88df85359c..00000000000
--- a/libexec/tcpd/tcpdmatch/tcpdmatch.8
+++ /dev/null
@@ -1,179 +0,0 @@
-.\"	$OpenBSD: tcpdmatch.8,v 1.15 2007/05/31 19:19:41 jmc Exp $
-.\"
-.\" Copyright (c) 1997, Jason Downs.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS
-.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-.\" DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT,
-.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 31 2007 $
-.Dt TCPDMATCH 8
-.Os
-.Sh NAME
-.Nm tcpdmatch
-.Nd tcp wrapper oracle
-.Sh SYNOPSIS
-.Nm tcpdmatch
-.Op Fl d
-.Op Fl i Ar inet_conf
-.Ar daemon
-.Ar client
-.Pp
-.Nm tcpdmatch
-.Op Fl d
-.Op Fl i Ar inet_conf
-.Ar daemon Op Ar @server
-.Op Ar user@
-.Ar client
-.Sh DESCRIPTION
-.Nm
-predicts how the tcp wrapper would handle a specific request for service.
-Examples are given below.
-.Pp
-The program examines the
-.Xr tcpd 8
-access control tables (default
-.Pa /etc/hosts.allow
-and
-.Pa /etc/hosts.deny )
-and prints its conclusion.
-For maximal accuracy, it extracts additional information from your
-.Xr inetd 8
-network configuration file.
-.Pp
-When
-.Nm
-finds a match in the access control tables, it identifies the matched rule.
-In addition, it displays the optional
-shell commands or options in a pretty-printed format; this makes it
-easier for you to spot any discrepancies between what you want and what
-the program understands.
-.Pp
-The options are as follows:
-.Bl -tag -width Ds
-.It Fl d
-Examine
-.Pa hosts.allow
-and
-.Pa hosts.deny
-files in the current directory instead of the default ones.
-.It Fl i Ar inet_conf
-Specify this option when
-.Nm
-is unable to find your
-.Pa inetd.conf
-network configuration file, or when you wish to test with a non-default one.
-.El
-.Pp
-The following two arguments are always required:
-.Pp
-.Bl -tag -width XXXXXX -compact
-.It Ar daemon
-A daemon process name.
-Typically, the last component of a daemon executable pathname.
-.It Ar client
-A host name or network address, or one of the
-.Dq unknown
-or
-.Dq paranoid
-wildcard patterns.
-.El
-.Pp
-When a client host name is specified,
-.Nm
-gives a prediction for each address listed for that client.
-.Pp
-When a client address is specified,
-.Nm
-predicts what
-.Xr tcpd 8
-would do when client name lookup fails.
-.Pp
-Optional information specified with the
-.Ar daemon@server
-form:
-.Pp
-.Bl -tag -width XXXXXX -compact
-.It Ar server
-A host name or network address, or one of the
-.Dq unknown
-or
-.Dq paranoid
-wildcard patterns.
-The default server name is
-.Dq unknown .
-.El
-.Pp
-Optional information specified with the
-.Ar user@client
-form:
-.Pp
-.Bl -tag -width XXXXXX -compact
-.It Ar user
-A client user identifier.
-Typically, a login name or a numeric user ID.
-The default user name is
-.Dq unknown .
-.El
-.Sh FILES
-The default locations of the
-.Xr tcpd 8
-access control tables are:
-.Pp
-.Bl -tag -width /etc/hosts.allow -compact
-.It Pa /etc/hosts.allow
-access control table (allow list)
-.It Pa /etc/hosts.deny
-access control table (deny list)
-.El
-.Sh EXAMPLES
-To predict how
-.Xr tcpd 8
-would handle a telnet request from the local system:
-.Pp
-.Dl $ tcpdmatch telnetd localhost
-.Pp
-The same request, pretending that hostname lookup failed:
-.Pp
-.Dl $ tcpdmatch telnetd 127.0.0.1
-.Pp
-To predict what
-.Xr tcpd 8
-would do when the client name does not match the client address:
-.Pp
-.Dl $ tcpdmatch telnetd paranoid
-.\" .Pp
-.\" On some systems, daemon names have no `in.' prefix, or
-.\" .Nm tcpdmatch\
-.\" may need some help to locate the inetd configuration file.
-.Sh SEE ALSO
-.Xr hosts_access 5 ,
-.Xr hosts_options 5 ,
-.Xr inetd.conf 5 ,
-.Xr tcpdchk 8
-.Sh AUTHORS
-.Bd -unfilled -offset indent
-Wietse Venema (wietse@wzv.win.tue.nl),
-Department of Mathematics and Computing Science,
-Eindhoven University of Technology
-Den Dolech 2, P.O. Box 513,
-5600 MB Eindhoven, The Netherlands
-.Ed
-.\" @(#) tcpdmatch.8 1.5 96/02/11 17:01:35
diff --git a/libexec/tcpd/tcpdmatch/tcpdmatch.c b/libexec/tcpd/tcpdmatch/tcpdmatch.c
deleted file mode 100644
index ebb94f76227..00000000000
--- a/libexec/tcpd/tcpdmatch/tcpdmatch.c
+++ /dev/null
@@ -1,331 +0,0 @@
-/*	$OpenBSD: tcpdmatch.c,v 1.8 2009/10/27 23:59:32 deraadt Exp $	*/
-
- /*
-  * tcpdmatch - explain what tcpd would do in a specific case
-  * 
-  * usage: tcpdmatch [-d] [-i inet_conf] daemon[@host] [user@]host
-  * 
-  * -d: use the access control tables in the current directory.
-  * 
-  * -i: location of inetd.conf file.
-  * 
-  * All errors are reported to the standard error stream, including the errors
-  * that would normally be reported via the syslog daemon.
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-/* System libraries. */
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netdb.h>
-#include <stdio.h>
-#include <syslog.h>
-#include <setjmp.h>
-#include <string.h>
-#include <unistd.h>
-#include <stdlib.h>
-
-#include <tcpd.h>
-
-#ifndef	INADDR_NONE
-#define	INADDR_NONE	(-1)		/* XXX should be 0xffffffff */
-#endif
-
-#ifndef S_ISDIR
-#define S_ISDIR(m)	(((m) & S_IFMT) == S_IFDIR)
-#endif
-
-/* Application-specific. */
-
-#include "inetcf.h"
-#include "scaffold.h"
-
-static void usage(char *);
-static void expand(char *, char *, struct request_info *);
-static void tcpdmatch(struct request_info *);
-
-/* The main program */
-
-int     main(int argc, char *argv[])
-{
-    struct addrinfo *res, *res0;
-    char   *myname = argv[0];
-    char   *client;
-    char   *server;
-    char   *user;
-    char   *daemon;
-    struct request_info request;
-    int     ch;
-    char   *inetcf = 0;
-    int     count;
-    struct sockaddr_storage server_ss;
-    struct sockaddr_storage client_ss;
-    struct stat st;
-
-    /*
-     * Show what rule actually matched.
-     */
-    hosts_access_verbose = 2;
-
-    /*
-     * Parse the JCL.
-     */
-    while ((ch = getopt(argc, argv, "di:")) != -1) {
-	switch (ch) {
-	case 'd':
-	    hosts_allow_table = "hosts.allow";
-	    hosts_deny_table = "hosts.deny";
-	    break;
-	case 'i':
-	    inetcf = optarg;
-	    break;
-	default:
-	    usage(myname);
-	    /* NOTREACHED */
-	}
-    }
-    if (argc != optind + 2)
-	usage(myname);
-
-    /*
-     * When confusion really strikes...
-     */
-    if (check_path(REAL_DAEMON_DIR, &st) < 0) {
-	tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
-    } else if (!S_ISDIR(st.st_mode)) {
-	tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
-    }
-
-    /*
-     * Default is to specify a daemon process name. When daemon@host is
-     * specified, separate the two parts.
-     */
-    if ((server = split_at(argv[optind], '@')) == 0)
-	server = unknown;
-    if (argv[optind][0] == '/') {
-	daemon = strrchr(argv[optind], '/') + 1;
-	tcpd_warn("%s: daemon name normalized to: %s", argv[optind], daemon);
-    } else {
-	daemon = argv[optind];
-    }
-
-    /*
-     * Default is to specify a client hostname or address. When user@host is
-     * specified, separate the two parts.
-     */
-    if ((client = split_at(argv[optind + 1], '@')) != 0) {
-	user = argv[optind + 1];
-    } else {
-	client = argv[optind + 1];
-	user = unknown;
-    }
-
-    /*
-     * Analyze the inetd (or tlid) configuration file, so that we can warn
-     * the user about services that may not be wrapped, services that are not
-     * configured, or services that are wrapped in an incorrect manner. Allow
-     * for services that are not run from inetd, or that have tcpd access
-     * control built into them.
-     */
-    inetcf = inet_cfg(inetcf);
-    inet_set("portmap", WR_NOT);
-    inet_set("rpcbind", WR_NOT);
-    switch (inet_get(daemon)) {
-    case WR_UNKNOWN:
-	tcpd_warn("%s: no such process name in %s", daemon, inetcf);
-	break;
-    case WR_NOT:
-	tcpd_warn("%s: service possibly not wrapped", daemon);
-	break;
-    }
-
-    /*
-     * Check accessibility of access control files.
-     */
-    (void) check_path(hosts_allow_table, &st);
-    (void) check_path(hosts_deny_table, &st);
-
-    /*
-     * Fill in what we have figured out sofar. Use socket and DNS routines
-     * for address and name conversions. We attach stdout to the request so
-     * that banner messages will become visible.
-     */
-    request_init(&request, RQ_DAEMON, daemon, RQ_USER, user, RQ_FILE, 1, 0);
-    sock_methods(&request);
-
-    /*
-     * If a server hostname is specified, insist that the name maps to at
-     * most one address. eval_hostname() warns the user about name server
-     * problems, while using the request.server structure as a cache for host
-     * address and name conversion results.
-     */
-    if (NOT_INADDR(server) == 0 || HOSTNAME_KNOWN(server)) {
-	if ((res0 = find_inet_addr(server, 0)) == NULL)
-	    exit(1);
-	memset((char *) &server_ss, 0, sizeof(server_ss));
-	request_set(&request, RQ_SERVER_SIN, &server_ss, 0);
-
-	count = 0;
-	for (res = res0; res; res = res->ai_next) {
-	    count++;
-	    if (res->ai_addrlen > sizeof(server_ss))
-		continue;
-	    memcpy(&server_ss, res->ai_addr, res->ai_addrlen);
-
-	    /*
-	     * Force evaluation of server host name and address. Host name
-	     * conflicts will be reported while eval_hostname() does its job.
-	     */
-	    request_set(&request, RQ_SERVER_NAME, "", RQ_SERVER_ADDR, "", 0);
-	    if (STR_EQ(eval_hostname(request.server), unknown))
-		tcpd_warn("host address %s->name lookup failed",
-			  eval_hostaddr(request.server));
-	}
-	if (count > 1) {
-	    fprintf(stderr, "Error: %s has more than one address\n", server);
-	    fprintf(stderr, "Please specify an address instead\n");
-	    exit(1);
-	}
-	freeaddrinfo(res0);
-    } else {
-	request_set(&request, RQ_SERVER_NAME, server, 0);
-    }
-
-    /*
-     * If a client address is specified, we simulate the effect of client
-     * hostname lookup failure.
-     */
-    res0 = find_inet_addr(client, AI_NUMERICHOST);
-    if (res0 && !res0->ai_next) {
-	request_set(&request, RQ_CLIENT_SIN, res0->ai_addr);
-	tcpdmatch(&request);
-	freeaddrinfo(res0);
-	exit(0);
-    }
-    if (res0)
-	freeaddrinfo(res0);
-
-    /*
-     * Perhaps they are testing special client hostname patterns that aren't
-     * really host names at all.
-     */
-    if (NOT_INADDR(client) && HOSTNAME_KNOWN(client) == 0) {
-	request_set(&request, RQ_CLIENT_NAME, client, 0);
-	tcpdmatch(&request);
-	exit(0);
-    }
-
-    /*
-     * Otherwise, assume that a client hostname is specified, and insist that
-     * the address can be looked up. The reason for this requirement is that
-     * in real life the client address is available (at least with IP). Let
-     * eval_hostname() figure out if this host is properly registered, while
-     * using the request.client structure as a cache for host name and
-     * address conversion results.
-     */
-    if ((res0 = find_inet_addr(client, 0)) == NULL)
-	exit(1);
-    memset((char *) &client_ss, 0, sizeof(client_ss));
-    request_set(&request, RQ_CLIENT_SIN, &client_ss, 0);
-
-    count = 0;
-    for (res = res0; res; res = res->ai_next) {
-	count++;
-	if (res->ai_addrlen > sizeof(client_ss))
-	    continue;
-	memcpy(&client_ss, res->ai_addr, res->ai_addrlen);
-
-	/*
-	 * Force evaluation of client host name and address. Host name
-	 * conflicts will be reported while eval_hostname() does its job.
-	 */
-	request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0);
-	if (STR_EQ(eval_hostname(request.client), unknown))
-	    tcpd_warn("host address %s->name lookup failed",
-		      eval_hostaddr(request.client));
-	tcpdmatch(&request);
-	if (res->ai_next)
-	    printf("\n");
-    }
-    freeaddrinfo(res0);
-    exit(0);
-}
-
-/* Explain how to use this program */
-
-static void usage(myname)
-char   *myname;
-{
-    fprintf(stderr, "usage: %s [-d] [-i inet_conf] daemon[@host] [user@]host\n",
-	    myname);
-    fprintf(stderr, "	-d: use allow/deny files in current directory\n");
-    fprintf(stderr, "	-i: location of inetd.conf file\n");
-    exit(1);
-}
-
-/* Print interesting expansions */
-
-static void expand(text, pattern, request)
-char   *text;
-char   *pattern;
-struct request_info *request;
-{
-    char    buf[BUFSIZ];
-
-    if (STR_NE(percent_x(buf, sizeof(buf), pattern, request), unknown))
-	printf("%s %s\n", text, buf);
-}
-
-/* Try out a (server,client) pair */
-
-static void tcpdmatch(request)
-struct request_info *request;
-{
-    int     verdict;
-
-    /*
-     * Show what we really know. Suppress uninteresting noise.
-     */
-    expand("client:   hostname", "%n", request);
-    expand("client:   address ", "%a", request);
-    expand("client:   username", "%u", request);
-    expand("server:   hostname", "%N", request);
-    expand("server:   address ", "%A", request);
-    expand("server:   process ", "%d", request);
-
-    /*
-     * Reset stuff that might be changed by options handlers. In dry-run
-     * mode, extension language routines that would not return should inform
-     * us of their plan, by clearing the dry_run flag. This is a bit clumsy
-     * but we must be able to verify hosts with more than one network
-     * address.
-     */
-    rfc931_timeout = RFC931_TIMEOUT;
-    allow_severity = SEVERITY;
-    deny_severity = LOG_WARNING;
-    dry_run = 1;
-
-    /*
-     * When paranoid mode is enabled, access is rejected no matter what the
-     * access control rules say.
-     */
-#ifdef PARANOID
-    if (STR_EQ(eval_hostname(request->client), paranoid)) {
-	printf("access:   denied (PARANOID mode)\n\n");
-	return;
-    }
-#endif
-
-    /*
-     * Report the access control verdict.
-     */
-    verdict = hosts_access(request);
-    printf("access:   %s\n",
-	   dry_run == 0 ? "delegated" :
-	   verdict ? "granted" : "denied");
-}