Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 14 Sep 1998 00:21:55 -0500
From:      "Jeffrey J. Mountin" <jeff-ml@mountin.net>
To:        Roger Marquis <marquis@roble.com>, freebsd-security@FreeBSD.ORG
Subject:   Re: sshd
Message-ID:  <3.0.3.32.19980914002155.0078fb78@207.227.119.2>
In-Reply-To: <Pine.SUN.3.96.980912195112.21513A-100000@roble.com>
References:  <xzpbtokesgh.fsf@hvergelmir.ifi.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help 

At 07:59 PM 9/12/98 -0700, Roger Marquis wrote:
>If you're running inetd then it doesn't seem consistent to start
>daemons that don't need to run all the time from startup scripts.
>Inetd was designed to conserve memory.  If you have it why not use it?
>/etc/inetd.conf is also a common place to implement access control (via
>tcp_wrappers).

The parent only takes up about 600K or so.  As someone mentioned, keeping ssh out of inetd give you a backup access method, which would be telnet w/SKEY.

>Other than that I've frequently run into situations where keepalives
>had to be turned off.  In those cases ssh sessions invariably die and
>their daemons have to be killed-off by hand (kill <PID>).  As it is
>difficult to tell the original daemon from the child daemons it's also
>easy to accidentally kill the parent.  If ssh is the only access you're
>locked-out.  Easier and more consistent to use inetd where it's
>available, IMHO and YMMV.

Rarely have I seen hung sessions, even after being rudely disconnected by the IPS(s) I connect into.  Even then what's so diffifcult about killing the child?

# ps -ax -o uid,pid,ppid,state,tt,start,time,command | grep ssh
  UID   PID  PPID STAT  TT  STARTED       TIME COMMAND
    0   149     1 Is    ??  Fri06AM    0:05.52 /usr/local/sbin/sshd (sshd1)
    0 28319   149 S     ??  10:35PM    0:09.78 /usr/local/sbin/sshd (sshd1)

Only one session leader here and killing the parent would be bad form. 8-)

FWIW, you can -HUP the parent while on an active ssh session and not be disconnected.  If you use -HUP the worst that you could do is disconnect someone.


Jeff Mountin - Unix Systems TCP/IP networking
jeff@mountin.net

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.3.32.19980914002155.0078fb78>