[emaste]

The linked blog post gives the impression that little has changed, but it is very much not the case.

Taking a look at the first section, "OpenSSH Modifications" - rather little of it is current. With respect to ciphers disabled by default in upstream we may follow along in main but leave them enabled in a stable/release branch, in an attempt to avoid breaking existing users while deprecating increasingly insecure options over time. We do indeed add support for tcp_wrappers back in. With respect to the base system I think the rest of the section is not applicable.

[acoppora]

Why is tcp wrappers still there? The overlying theme of the SSH section is about going against upstream in the name of backwards compatibility, which it sounds like FreeBSD still does (albeit to a smaller degree).

[emaste]

tcp_wrappers is still there because it provides functionality not otherwise available that is still used, and has a relatively small impact on the attack surface.