Date: Wed, 15 Mar 2000 23:40:41 -0800 From: Doug Barton <Doug@gorean.org> To: Lawrence Sica <larry@interactivate.com> Cc: Rodrigo Campos <camposr@MATRIX.COM.BR>, freebsd-security@FreeBSD.ORG Subject: Re: wrapping sshd Message-ID: <38D08FF9.D7247ACB@gorean.org> References: <Pine.BSF.4.21.0003151730240.11873-100000@speed.matrix.com.br> <38D00906.389A9A28@interactivate.com> <38D07B98.53CBA3E@gorean.org> <38D07C08.28FB5CF7@interactivate.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Lawrence Sica wrote: > > Doug Barton wrote: > > > Lawrence Sica wrote: > > > > > sshd can do this within it's own config file already. > > > > True, but I've always found it more convenient to have all of my system > > access limits in the same file. (Well, two files, hosts.allow and > > rc.firewall, so I really don't want a third...) > > > > > The reasons for not > > > running it in inetd are pretty much the same for not wrapping it. > > > > No, not running it out of inetd is a whole different issue. The theory > > is that sshd is more reliable than inetd, and you always want to be able > > to get into your system. I have always thought that the sshd authors > > were a bit grandiose on that topic.. :) > > > > Ahh i was led to believe it was due to the fact it needs to generate a key and all > the fun stuff associated with it. Didn;t know that the big ego theory applied > there heh. Well, it does take a bit longer to start the connection run out of inetd. The difference is _very_ hard to notice on a modern (fast) machine though. That warning applied mostly to the "old days" when generating the key was a more substantial delay. I used to run sshd out of inetd on a system that ran mostly unattended, needed every spare cpu cycle, and had alternate means of access "just in case." In all my years of running freebsd I've never seen inetd crash on any system. In either case, if you absolutely positively have to have remote access it's easy to write a little sh script to be run out of cron every N minutes which checks to see if sshd/inetd is up and running, and starts it if it's not. Even easier (though less elegant) is to just run the command (sshd, inetd, whatever). The worst thing that could happen is that your logs get full of "can't start <whatever> because that port is already bound" messages. HTH, Doug -- "While the future's there for anyone to change, still you know it seems, it would be easier sometimes to change the past" - Jackson Browne, "Fountain of Sorrow" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38D08FF9.D7247ACB>