From owner-freebsd-security  Sun Sep 13 22:23:49 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id WAA29262
          for freebsd-security-outgoing; Sun, 13 Sep 1998 22:23:49 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from peak.mountin.net ([207.227.119.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA29254
          for <freebsd-security@FreeBSD.ORG>; Sun, 13 Sep 1998 22:23:44 -0700 (PDT)
          (envelope-from jeff-ml@mountin.net)
Received: (from daemon@localhost)
	by peak.mountin.net (8.9.1/8.9.1) id AAA00635;
	Mon, 14 Sep 1998 00:23:25 -0500 (CDT)
Received: from harkol-104.isdn.mke.execpc.com(169.207.64.232) by peak.mountin.net via smap (V1.3)
	id sma000633; Mon Sep 14 00:23:18 1998
Message-Id: <3.0.3.32.19980914002155.0078fb78@207.227.119.2>
X-Sender: jeff-ml@207.227.119.2
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Mon, 14 Sep 1998 00:21:55 -0500
To: Roger Marquis <marquis@roble.com>, freebsd-security@FreeBSD.ORG
From: "Jeffrey J. Mountin" <jeff-ml@mountin.net>
Subject: Re: sshd
In-Reply-To: <Pine.SUN.3.96.980912195112.21513A-100000@roble.com>
References: <xzpbtokesgh.fsf@hvergelmir.ifi.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 07:59 PM 9/12/98 -0700, Roger Marquis wrote:
>If you're running inetd then it doesn't seem consistent to start
>daemons that don't need to run all the time from startup scripts.
>Inetd was designed to conserve memory.  If you have it why not use it?
>/etc/inetd.conf is also a common place to implement access control (via
>tcp_wrappers).

The parent only takes up about 600K or so.  As someone mentioned, keeping ssh out of inetd give you a backup access method, which would be telnet w/SKEY.

>Other than that I've frequently run into situations where keepalives
>had to be turned off.  In those cases ssh sessions invariably die and
>their daemons have to be killed-off by hand (kill <PID>).  As it is
>difficult to tell the original daemon from the child daemons it's also
>easy to accidentally kill the parent.  If ssh is the only access you're
>locked-out.  Easier and more consistent to use inetd where it's
>available, IMHO and YMMV.

Rarely have I seen hung sessions, even after being rudely disconnected by the IPS(s) I connect into.  Even then what's so diffifcult about killing the child?

# ps -ax -o uid,pid,ppid,state,tt,start,time,command | grep ssh
  UID   PID  PPID STAT  TT  STARTED       TIME COMMAND
    0   149     1 Is    ??  Fri06AM    0:05.52 /usr/local/sbin/sshd (sshd1)
    0 28319   149 S     ??  10:35PM    0:09.78 /usr/local/sbin/sshd (sshd1)

Only one session leader here and killing the parent would be bad form. 8-)

FWIW, you can -HUP the parent while on an active ssh session and not be disconnected.  If you use -HUP the worst that you could do is disconnect someone.


Jeff Mountin - Unix Systems TCP/IP networking
jeff@mountin.net

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message