From owner-freebsd-security Wed Mar 15 23:40:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from dt051n0b.san.rr.com (dt051n0b.san.rr.com [204.210.32.11]) by hub.freebsd.org (Postfix) with ESMTP id 1E64637BA56 for ; Wed, 15 Mar 2000 23:40:51 -0800 (PST) (envelope-from Doug@gorean.org) Received: from gorean.org (doug@master [10.0.0.2]) by dt051n0b.san.rr.com (8.9.3/8.9.3) with ESMTP id XAA07558; Wed, 15 Mar 2000 23:40:41 -0800 (PST) (envelope-from Doug@gorean.org) Message-ID: <38D08FF9.D7247ACB@gorean.org> Date: Wed, 15 Mar 2000 23:40:41 -0800 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.72 [en] (X11; U; FreeBSD 5.0-CURRENT-0313 i386) X-Accept-Language: en MIME-Version: 1.0 To: Lawrence Sica Cc: Rodrigo Campos , freebsd-security@FreeBSD.ORG Subject: Re: wrapping sshd References: <38D00906.389A9A28@interactivate.com> <38D07B98.53CBA3E@gorean.org> <38D07C08.28FB5CF7@interactivate.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lawrence Sica wrote: > > Doug Barton wrote: > > > Lawrence Sica wrote: > > > > > sshd can do this within it's own config file already. > > > > True, but I've always found it more convenient to have all of my system > > access limits in the same file. (Well, two files, hosts.allow and > > rc.firewall, so I really don't want a third...) > > > > > The reasons for not > > > running it in inetd are pretty much the same for not wrapping it. > > > > No, not running it out of inetd is a whole different issue. The theory > > is that sshd is more reliable than inetd, and you always want to be able > > to get into your system. I have always thought that the sshd authors > > were a bit grandiose on that topic.. :) > > > > Ahh i was led to believe it was due to the fact it needs to generate a key and all > the fun stuff associated with it. Didn;t know that the big ego theory applied > there heh. Well, it does take a bit longer to start the connection run out of inetd. The difference is _very_ hard to notice on a modern (fast) machine though. That warning applied mostly to the "old days" when generating the key was a more substantial delay. I used to run sshd out of inetd on a system that ran mostly unattended, needed every spare cpu cycle, and had alternate means of access "just in case." In all my years of running freebsd I've never seen inetd crash on any system. In either case, if you absolutely positively have to have remote access it's easy to write a little sh script to be run out of cron every N minutes which checks to see if sshd/inetd is up and running, and starts it if it's not. Even easier (though less elegant) is to just run the command (sshd, inetd, whatever). The worst thing that could happen is that your logs get full of "can't start because that port is already bound" messages. HTH, Doug -- "While the future's there for anyone to change, still you know it seems, it would be easier sometimes to change the past" - Jackson Browne, "Fountain of Sorrow" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message