Date: Mon, 14 Sep 1998 02:22:58 -0400 (EDT) From: spork <spork@super-g.com> To: "Jeffrey J. Mountin" <jeff-ml@mountin.net> Cc: Roger Marquis <marquis@roble.com>, freebsd-security@FreeBSD.ORG Subject: Re: sshd Message-ID: <Pine.BSF.4.00.9809140219060.4728-100000@super-g.inch.com> In-Reply-To: <3.0.3.32.19980914002155.0078fb78@207.227.119.2>
next in thread | previous in thread | raw e-mail | index | archive | help
Data Point: A dozen machines, all running sshd as a daemon. Been doing it for more than two years. Number of times sshd died: 0 Number of times inetd died: 4-ish (junk pointer, too low to make sense) Number of years since machines that don't need inetd services have been running with no inetd, and hence no backup telnetd: 1 Number of times bitten: 0 If you really need a backup access method, get a console server :) Charles --- Charles Sprickman spork@super-g.com --- "...there's no idea that's so good you can't ruin it with a few well-placed idiots." On Mon, 14 Sep 1998, Jeffrey J. Mountin wrote: > At 07:59 PM 9/12/98 -0700, Roger Marquis wrote: > >If you're running inetd then it doesn't seem consistent to start > >daemons that don't need to run all the time from startup scripts. > >Inetd was designed to conserve memory. If you have it why not use it? > >/etc/inetd.conf is also a common place to implement access control (via > >tcp_wrappers). > > The parent only takes up about 600K or so. As someone mentioned, keeping ssh out of inetd give you a backup access method, which would be telnet w/SKEY. > > >Other than that I've frequently run into situations where keepalives > >had to be turned off. In those cases ssh sessions invariably die and > >their daemons have to be killed-off by hand (kill <PID>). As it is > >difficult to tell the original daemon from the child daemons it's also > >easy to accidentally kill the parent. If ssh is the only access you're > >locked-out. Easier and more consistent to use inetd where it's > >available, IMHO and YMMV. > > Rarely have I seen hung sessions, even after being rudely disconnected by the IPS(s) I connect into. Even then what's so diffifcult about killing the child? > > # ps -ax -o uid,pid,ppid,state,tt,start,time,command | grep ssh > UID PID PPID STAT TT STARTED TIME COMMAND > 0 149 1 Is ?? Fri06AM 0:05.52 /usr/local/sbin/sshd (sshd1) > 0 28319 149 S ?? 10:35PM 0:09.78 /usr/local/sbin/sshd (sshd1) > > Only one session leader here and killing the parent would be bad form. 8-) > > FWIW, you can -HUP the parent while on an active ssh session and not be disconnected. If you use -HUP the worst that you could do is disconnect someone. > > > Jeff Mountin - Unix Systems TCP/IP networking > jeff@mountin.net > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.00.9809140219060.4728-100000>