Date: Thu, 18 Sep 2003 13:27:49 -0600 From: Scott Gerhardt <scott@g-it.ca> To: Roger Marquis <marquis@roble.com>, <freebsd-security@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh Message-ID: <BB8F6355.6D88%scott@g-it.ca> In-Reply-To: <20030918192135.744AADACAF@mx7.roble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/18/03 1:21 PM, "Roger Marquis" <marquis@roble.com> wrote: >>>> This can be dangerous if you are ssh'ed in, and the restart kills your >>>> connection rather than the daemon. >>> >>> All the restart target does is basically kill the pid using the pid file >>> and then restart the daemon, so it is no more dangerous then the below. >> >> It's good that the FreeBSD script does not use 'killall' (for instance), but >> not >> every SysV sshd script is as sensible. Of course, if you argued that a NG >> sshd >> RC script might involve dependencies which affected other processes, you'd >> have >> a point. :-) > > None of these are problems when sshd is run from inetd. The only > reasons not to run sshd out of inetd are A) if the server needs to > initiate dozens of sessions per minute or B) if it's not running > inetd. > > Advantages to using inetd include connection count limiting, > connection rate limiting, tcp_wrappers, address binding, and > simplicity (KIS), among others. > > Back when ssh was originally developed, in the days of 50Mhz > processors, key generation time made running sshd out of inetd slow. > For the past several years, however, this has not been an issue. > Why FreeBSd's default installation still uses a legacy stand-alone > ssh daemon is a question many systems administrators are asking. Better Yet, what about using xinetd which is much more configurable and robust. I am surprised that FreeBSD's default installation still uses inetd instead of xinetd. -- Scott Gerhardt, P.Geo. Gerhardt Information Technologies [G-IT]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BB8F6355.6D88%scott>