From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 18:33:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A64716A4B3 for ; Thu, 18 Sep 2003 18:33:33 -0700 (PDT) Received: from dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72FA243FAF for ; Thu, 18 Sep 2003 18:33:32 -0700 (PDT) (envelope-from freebsd-security@dfmm.org) Received: (qmail 7605 invoked by uid 1000); 19 Sep 2003 01:33:32 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Sep 2003 01:33:32 -0000 Date: Thu, 18 Sep 2003 18:33:31 -0700 (PDT) From: Jason Stone X-X-Sender: jason@walter To: freebsd-security@freebsd.org In-Reply-To: Message-ID: <20030918175448.E55021@walter> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 01:33:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Advantages to using inetd include connection count limiting, > connection rate limiting, tcp_wrappers, address binding, and > simplicity (KIS), among others. > > Back when ssh was originally developed, in the days of 50Mhz > processors, key generation time made running sshd out of inetd slow. > For the past several years, however, this has not been an issue. > Why FreeBSd's default installation still uses a legacy stand-alone > ssh daemon is a question many systems administrators are asking. Uh, you've got it backwards dude - inetd was developed way way back in the day, when having a separate telnetd, ftpd, etc all running all the time consumed too many resources. Most modern daemons (sshd, apache, bind, dhcpd, etc) all run as standalones - the ones that still want inetd are stuff like talkd, fingerd, uucpd - ie, the daemons that no one runs anymore. And how is having two daemons (inetd and sshd), each with their own config files and implementation bogosities _simpler_ that just the one? Uh, I could run inetd _and_ sshd, or just sshd - hmm, which do I think is simpler...? And sshd has all the "advantages of inetd" which you mention. - From a security standpoint, I really think that inetd outght not be used. It's an additional root-running source of complexity and potential bugs, and it is almost never necesary. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/alzsswXMWWtptckRAn7BAJ9L+V4XAgaJCe3cIm40k34RXdkRXQCg1RXm u20B+ZxFFSMyNH2OAnuK3X4= =9Dxo -----END PGP SIGNATURE-----