Date: Sat, 25 Dec 1999 13:49:47 -0800 (PST) From: marquis@roble.com To: freebsd-gnats-submit@freebsd.org Subject: ports/15691: Ssh ports fail to check inetd.conf before creating ../rc.d/sshd.sh Message-ID: <19991225214947.497B414D6B@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 15691 >Category: ports >Synopsis: Ssh ports fail to check inetd.conf before creating ../rc.d/sshd.sh >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat Dec 25 13:50:01 PST 1999 >Closed-Date: >Last-Modified: >Originator: Roger Marquis >Release: any >Organization: Roble Systems >Environment: n/a >Description: All ssh ports to-date (/usr/ports/security/ssh*) assume that sshd will be running as a standalone daemon and fail to check whether sshd is started from inetd. Where there is both an inetd and a standalone daemon errors problems logging in from ssh clients can occur which can result in a denial of service or lock-out situation when "make install" is used to install the deamon on a system where it is already started from inetd. Yes, we've heard the recommendation not to run sshd from inetd.conf however where inetd is running it makes no sense not to use it. There's also a higher vulnerability to DOS attacks to a standalone sshd than to inetd. Finally, the time to generate a session key is effectively zero on systems faster than 250MHz. >How-To-Repeat: >Fix: fix the Makefile i.e., if [ "`grep ssh /etc/inetd.conf|grep -v ^#ssh`" = "" ]; then @if [ ! -f ${PREFIX}/etc/rc.d/sshd.sh ]; then \ ${ECHO} "Installing ${PREFIX}/etc/rc.d/sshd.sh startup file."; \ ${ECHO} "#!/bin/sh" > ${PREFIX}/etc/rc.d/sshd.sh; \ ${ECHO} "[ -x ${PREFIX}/sbin/sshd ] && ${PREFIX}/sbin/sshd && ${ECHO} -n ' sshd'" >> ${PREFIX}/etc/rc.d/sshd.sh; \ ${CHMOD} 751 ${PREFIX}/etc/rc.d/sshd.sh; \ fi fi >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991225214947.497B414D6B>