Date: Wed, 15 Mar 2000 23:40:41 -0800 From: Doug Barton <Doug@gorean.org> To: Lawrence Sica <larry@interactivate.com> Cc: Rodrigo Campos <camposr@MATRIX.COM.BR>, freebsd-security@FreeBSD.ORG Subject: Re: wrapping sshd Message-ID: <38D08FF9.D7247ACB@gorean.org> References: <Pine.BSF.4.21.0003151730240.11873-100000@speed.matrix.com.br> <38D00906.389A9A28@interactivate.com> <38D07B98.53CBA3E@gorean.org> <38D07C08.28FB5CF7@interactivate.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Lawrence Sica wrote:
>
> Doug Barton wrote:
>
> > Lawrence Sica wrote:
> >
> > > sshd can do this within it's own config file already.
> >
> > True, but I've always found it more convenient to have all of my system
> > access limits in the same file. (Well, two files, hosts.allow and
> > rc.firewall, so I really don't want a third...)
> >
> > > The reasons for not
> > > running it in inetd are pretty much the same for not wrapping it.
> >
> > No, not running it out of inetd is a whole different issue. The theory
> > is that sshd is more reliable than inetd, and you always want to be able
> > to get into your system. I have always thought that the sshd authors
> > were a bit grandiose on that topic.. :)
> >
>
> Ahh i was led to believe it was due to the fact it needs to generate a key and all
> the fun stuff associated with it. Didn;t know that the big ego theory applied
> there heh.
Well, it does take a bit longer to start the connection run out of
inetd. The difference is _very_ hard to notice on a modern (fast)
machine though. That warning applied mostly to the "old days" when
generating the key was a more substantial delay. I used to run sshd out
of inetd on a system that ran mostly unattended, needed every spare cpu
cycle, and had alternate means of access "just in case."
In all my years of running freebsd I've never seen inetd crash on any
system. In either case, if you absolutely positively have to have remote
access it's easy to write a little sh script to be run out of cron every
N minutes which checks to see if sshd/inetd is up and running, and
starts it if it's not. Even easier (though less elegant) is to just run
the command (sshd, inetd, whatever). The worst thing that could happen
is that your logs get full of "can't start <whatever> because that port
is already bound" messages.
HTH,
Doug
--
"While the future's there for anyone to change, still you know it
seems,
it would be easier sometimes to change the past"
- Jackson Browne, "Fountain of Sorrow"
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38D08FF9.D7247ACB>