From owner-freebsd-security Sun Sep 13 23:24:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA10745 for freebsd-security-outgoing; Sun, 13 Sep 1998 23:24:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA10740 for ; Sun, 13 Sep 1998 23:23:56 -0700 (PDT) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.8/8.8.5) with SMTP id CAA06681; Mon, 14 Sep 1998 02:22:58 -0400 (EDT) Date: Mon, 14 Sep 1998 02:22:58 -0400 (EDT) From: spork X-Sender: spork@super-g.inch.com To: "Jeffrey J. Mountin" cc: Roger Marquis , freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: <3.0.3.32.19980914002155.0078fb78@207.227.119.2> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Data Point: A dozen machines, all running sshd as a daemon. Been doing it for more than two years. Number of times sshd died: 0 Number of times inetd died: 4-ish (junk pointer, too low to make sense) Number of years since machines that don't need inetd services have been running with no inetd, and hence no backup telnetd: 1 Number of times bitten: 0 If you really need a backup access method, get a console server :) Charles --- Charles Sprickman spork@super-g.com --- "...there's no idea that's so good you can't ruin it with a few well-placed idiots." On Mon, 14 Sep 1998, Jeffrey J. Mountin wrote: > At 07:59 PM 9/12/98 -0700, Roger Marquis wrote: > >If you're running inetd then it doesn't seem consistent to start > >daemons that don't need to run all the time from startup scripts. > >Inetd was designed to conserve memory. If you have it why not use it? > >/etc/inetd.conf is also a common place to implement access control (via > >tcp_wrappers). > > The parent only takes up about 600K or so. As someone mentioned, keeping ssh out of inetd give you a backup access method, which would be telnet w/SKEY. > > >Other than that I've frequently run into situations where keepalives > >had to be turned off. In those cases ssh sessions invariably die and > >their daemons have to be killed-off by hand (kill ). As it is > >difficult to tell the original daemon from the child daemons it's also > >easy to accidentally kill the parent. If ssh is the only access you're > >locked-out. Easier and more consistent to use inetd where it's > >available, IMHO and YMMV. > > Rarely have I seen hung sessions, even after being rudely disconnected by the IPS(s) I connect into. Even then what's so diffifcult about killing the child? > > # ps -ax -o uid,pid,ppid,state,tt,start,time,command | grep ssh > UID PID PPID STAT TT STARTED TIME COMMAND > 0 149 1 Is ?? Fri06AM 0:05.52 /usr/local/sbin/sshd (sshd1) > 0 28319 149 S ?? 10:35PM 0:09.78 /usr/local/sbin/sshd (sshd1) > > Only one session leader here and killing the parent would be bad form. 8-) > > FWIW, you can -HUP the parent while on an active ssh session and not be disconnected. If you use -HUP the worst that you could do is disconnect someone. > > > Jeff Mountin - Unix Systems TCP/IP networking > jeff@mountin.net > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message