The linked blog post gives the impression that little has changed, but it is very much not the case.
Taking a look at the first section, "OpenSSH Modifications" - rather little of it is current. With respect to ciphers disabled by default in upstream we may follow along in main but leave them enabled in a stable/release branch, in an attempt to avoid breaking existing users while deprecating increasingly insecure options over time. We do indeed add support for tcp_wrappers back in. With respect to the base system I think the rest of the section is not applicable.
Why is tcp wrappers still there? The overlying theme of the SSH section is about going against upstream in the name of backwards compatibility, which it sounds like FreeBSD still does (albeit to a smaller degree).
tcp_wrappers is still there because it provides functionality not otherwise available that is still used, and has a relatively small impact on the attack surface.
Well, you see, there are still some users even 6 years later that are using FreeBSD, so they can't change it yet. Maybe in another 6 years nobody will use it so they finally will be able to change it? Only time can tell!
> Some things fall into the category of "we can't change this overnight because we have users, but it will be changing in the future".
I get and appreciate what’s said above. But, 6-years also seems like a long time for FreeBSD to not address some of these things.
https://news.ycombinator.com/item?id=11318788