From owner-freebsd-ports  Sat Dec 25 13:50: 9 1999
Delivered-To: freebsd-ports@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id A8A0F14E24
	for <freebsd-ports@FreeBSD.org>; Sat, 25 Dec 1999 13:50:07 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id NAA43389;
	Sat, 25 Dec 1999 13:50:07 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 497B414D6B; Sat, 25 Dec 1999 13:49:47 -0800 (PST)
Message-Id: <19991225214947.497B414D6B@hub.freebsd.org>
Date: Sat, 25 Dec 1999 13:49:47 -0800 (PST)
From: marquis@roble.com
To: freebsd-gnats-submit@freebsd.org
X-Send-Pr-Version: www-1.0
Subject: ports/15691: Ssh ports fail to check inetd.conf before creating ../rc.d/sshd.sh
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         15691
>Category:       ports
>Synopsis:       Ssh ports fail to check inetd.conf before creating ../rc.d/sshd.sh
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Dec 25 13:50:01 PST 1999
>Closed-Date:
>Last-Modified:
>Originator:     Roger Marquis
>Release:        any
>Organization:
Roble Systems
>Environment:
n/a
>Description:
All ssh ports to-date (/usr/ports/security/ssh*) assume that sshd will
be running as a standalone daemon and fail to check whether sshd is
started from inetd.  

Where there is both an inetd and a standalone daemon errors problems
logging in from ssh clients can occur which can result in a denial
of service or lock-out situation when "make install" is used to install
the deamon on a system where it is already started from inetd.

Yes, we've heard the recommendation not to run sshd from inetd.conf 
however where inetd is running it makes no sense not to use it.
There's also a higher vulnerability to DOS attacks to a standalone
sshd than to inetd.  Finally, the time to generate a session key is
effectively zero on systems faster than 250MHz.
>How-To-Repeat:

>Fix:
fix the Makefile i.e.,
if [ "`grep ssh /etc/inetd.conf|grep -v ^#ssh`" = "" ]; then

	@if [ ! -f ${PREFIX}/etc/rc.d/sshd.sh ]; then \
                ${ECHO} "Installing ${PREFIX}/etc/rc.d/sshd.sh startup file."; \
                ${ECHO} "#!/bin/sh" > ${PREFIX}/etc/rc.d/sshd.sh; \
                ${ECHO} "[ -x ${PREFIX}/sbin/sshd ] && ${PREFIX}/sbin/sshd && ${ECHO} -n ' sshd'" >> ${PREFIX}/etc/rc.d/sshd.sh; \
                ${CHMOD} 751 ${PREFIX}/etc/rc.d/sshd.sh; \
        fi

fi

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message