From owner-freebsd-security  Fri Sep 11 22:33:45 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id WAA27615
          for freebsd-security-outgoing; Fri, 11 Sep 1998 22:33:45 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA27610
          for <freebsd-security@freebsd.org>; Fri, 11 Sep 1998 22:33:41 -0700 (PDT)
          (envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id BAA11759;
	Sat, 12 Sep 1998 01:33:09 -0400 (EDT)
Date: Sat, 12 Sep 1998 01:33:09 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: "Jordan K. Hubbard" <jkh@time.cdrom.com>
cc: Roger Marquis <marquis@roble.com>, freebsd-security@FreeBSD.ORG
Subject: Re: sshd 
In-Reply-To: <23352.905573432@time.cdrom.com>
Message-ID: <Pine.BSF.3.96.980912013100.11752A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 11 Sep 1998, Jordan K. Hubbard wrote:

> > The recommended sshd startup method used to be /etc/rc*(/*), probably
> > for historical reasons.  It may still be a good idea on slow CPUs,
> > where it can take a while to generate a session key, or where
> > inetd.conf isn't running, however, in my experience, sshd is much more
> > reliably run from inetd.
> 
> I haven't had that experience myself, so I guess it's one of those
> different strokes kinda issues.

The one funny thing I've experienced with sshd (+kerberosIV/AFS patches) 
is that every hour during key regeneration, no one can log in. 
Connections are accepted via TCP, and the SSH version number banner is
passed back, but no logins are allowed during the key generation (users
get a login refused of some kind).  I believe that is the event that
results in this effect)  Running it from inetd might improve that
arrangement, but on my slower machines the key generation time from
running it out of inetd would really suck. :)  I keep meaning to track
this down but haven't yet.

  Robert N Watson 

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
SafePort Network Services             http://www.safeport.com/
robert@fledge.watson.org              http://www.watson.org/~robert/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message