From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 12:27:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE98216A4C0 for ; Thu, 18 Sep 2003 12:27:55 -0700 (PDT) Received: from blue.gerhardt-it.com (gw.gerhardt-it.com [204.83.38.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id A301843FBF for ; Thu, 18 Sep 2003 12:27:54 -0700 (PDT) (envelope-from scott@g-it.ca) Received: from [24.78.101.202] (h24-78-101-202.ss.shawcable.net [24.78.101.202]) by blue.gerhardt-it.com (Postfix) with ESMTP id 0C7BDFD96; Thu, 18 Sep 2003 13:27:52 -0600 (CST) User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Thu, 18 Sep 2003 13:27:49 -0600 From: Scott Gerhardt To: Roger Marquis , Message-ID: In-Reply-To: <20030918192135.744AADACAF@mx7.roble.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 19:27:56 -0000 On 9/18/03 1:21 PM, "Roger Marquis" wrote: >>>> This can be dangerous if you are ssh'ed in, and the restart kills your >>>> connection rather than the daemon. >>> >>> All the restart target does is basically kill the pid using the pid file >>> and then restart the daemon, so it is no more dangerous then the below. >> >> It's good that the FreeBSD script does not use 'killall' (for instance), but >> not >> every SysV sshd script is as sensible. Of course, if you argued that a NG >> sshd >> RC script might involve dependencies which affected other processes, you'd >> have >> a point. :-) > > None of these are problems when sshd is run from inetd. The only > reasons not to run sshd out of inetd are A) if the server needs to > initiate dozens of sessions per minute or B) if it's not running > inetd. > > Advantages to using inetd include connection count limiting, > connection rate limiting, tcp_wrappers, address binding, and > simplicity (KIS), among others. > > Back when ssh was originally developed, in the days of 50Mhz > processors, key generation time made running sshd out of inetd slow. > For the past several years, however, this has not been an issue. > Why FreeBSd's default installation still uses a legacy stand-alone > ssh daemon is a question many systems administrators are asking. Better Yet, what about using xinetd which is much more configurable and robust. I am surprised that FreeBSD's default installation still uses inetd instead of xinetd. -- Scott Gerhardt, P.Geo. Gerhardt Information Technologies [G-IT]