Date: Mon, 14 Sep 1998 02:22:58 -0400 (EDT) From: spork <spork@super-g.com> To: "Jeffrey J. Mountin" <jeff-ml@mountin.net> Cc: Roger Marquis <marquis@roble.com>, freebsd-security@FreeBSD.ORG Subject: Re: sshd Message-ID: <Pine.BSF.4.00.9809140219060.4728-100000@super-g.inch.com> In-Reply-To: <3.0.3.32.19980914002155.0078fb78@207.227.119.2>
next in thread | previous in thread | raw e-mail | index | archive | help
Data Point:
A dozen machines, all running sshd as a daemon. Been doing it for more
than two years.
Number of times sshd died: 0
Number of times inetd died: 4-ish (junk pointer, too low to make sense)
Number of years since machines that don't need inetd services have been
running with no inetd, and hence no backup telnetd: 1
Number of times bitten: 0
If you really need a backup access method, get a console server :)
Charles
---
Charles Sprickman
spork@super-g.com
---
"...there's no idea that's so good you can't
ruin it with a few well-placed idiots."
On Mon, 14 Sep 1998, Jeffrey J. Mountin wrote:
> At 07:59 PM 9/12/98 -0700, Roger Marquis wrote:
> >If you're running inetd then it doesn't seem consistent to start
> >daemons that don't need to run all the time from startup scripts.
> >Inetd was designed to conserve memory. If you have it why not use it?
> >/etc/inetd.conf is also a common place to implement access control (via
> >tcp_wrappers).
>
> The parent only takes up about 600K or so. As someone mentioned, keeping ssh out of inetd give you a backup access method, which would be telnet w/SKEY.
>
> >Other than that I've frequently run into situations where keepalives
> >had to be turned off. In those cases ssh sessions invariably die and
> >their daemons have to be killed-off by hand (kill <PID>). As it is
> >difficult to tell the original daemon from the child daemons it's also
> >easy to accidentally kill the parent. If ssh is the only access you're
> >locked-out. Easier and more consistent to use inetd where it's
> >available, IMHO and YMMV.
>
> Rarely have I seen hung sessions, even after being rudely disconnected by the IPS(s) I connect into. Even then what's so diffifcult about killing the child?
>
> # ps -ax -o uid,pid,ppid,state,tt,start,time,command | grep ssh
> UID PID PPID STAT TT STARTED TIME COMMAND
> 0 149 1 Is ?? Fri06AM 0:05.52 /usr/local/sbin/sshd (sshd1)
> 0 28319 149 S ?? 10:35PM 0:09.78 /usr/local/sbin/sshd (sshd1)
>
> Only one session leader here and killing the parent would be bad form. 8-)
>
> FWIW, you can -HUP the parent while on an active ssh session and not be disconnected. If you use -HUP the worst that you could do is disconnect someone.
>
>
> Jeff Mountin - Unix Systems TCP/IP networking
> jeff@mountin.net
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.00.9809140219060.4728-100000>