Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 25 Dec 1999 13:49:47 -0800 (PST)
From:      marquis@roble.com
To:        freebsd-gnats-submit@freebsd.org
Subject:   ports/15691: Ssh ports fail to check inetd.conf before creating ../rc.d/sshd.sh
Message-ID:  <19991225214947.497B414D6B@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         15691
>Category:       ports
>Synopsis:       Ssh ports fail to check inetd.conf before creating ../rc.d/sshd.sh
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Dec 25 13:50:01 PST 1999
>Closed-Date:
>Last-Modified:
>Originator:     Roger Marquis
>Release:        any
>Organization:
Roble Systems
>Environment:
n/a
>Description:
All ssh ports to-date (/usr/ports/security/ssh*) assume that sshd will
be running as a standalone daemon and fail to check whether sshd is
started from inetd.  

Where there is both an inetd and a standalone daemon errors problems
logging in from ssh clients can occur which can result in a denial
of service or lock-out situation when "make install" is used to install
the deamon on a system where it is already started from inetd.

Yes, we've heard the recommendation not to run sshd from inetd.conf 
however where inetd is running it makes no sense not to use it.
There's also a higher vulnerability to DOS attacks to a standalone
sshd than to inetd.  Finally, the time to generate a session key is
effectively zero on systems faster than 250MHz.
>How-To-Repeat:

>Fix:
fix the Makefile i.e.,
if [ "`grep ssh /etc/inetd.conf|grep -v ^#ssh`" = "" ]; then

	@if [ ! -f ${PREFIX}/etc/rc.d/sshd.sh ]; then \
                ${ECHO} "Installing ${PREFIX}/etc/rc.d/sshd.sh startup file."; \
                ${ECHO} "#!/bin/sh" > ${PREFIX}/etc/rc.d/sshd.sh; \
                ${ECHO} "[ -x ${PREFIX}/sbin/sshd ] && ${PREFIX}/sbin/sshd && ${ECHO} -n ' sshd'" >> ${PREFIX}/etc/rc.d/sshd.sh; \
                ${CHMOD} 751 ${PREFIX}/etc/rc.d/sshd.sh; \
        fi

fi

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991225214947.497B414D6B>