Date: Thu, 18 Sep 2003 20:09:51 -0700 From: Avleen Vig <lists-freebsd@silverwraith.com> To: Roger Marquis <marquis@roble.com> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh Message-ID: <20030919030951.GJ527@silverwraith.com> In-Reply-To: <20030919010710.D0BA3DACBD@mx7.roble.com> References: <20030918192135.744AADACAF@mx7.roble.com> <20030918231811.GE527@silverwraith.com> <20030919010710.D0BA3DACBD@mx7.roble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 18, 2003 at 06:07:10PM -0700, Roger Marquis wrote: > Duplicating inetd's features increases the total code, increases > its complexity, and reduces overall security. Sshd doesn't need > to know how to run as a daemon. That code is already in inetd. > Sshd also doesn't need to duplicate the connection limiting, process > limiting, and tcp_wrappers already built into inetd. This is why > all modern unix systems have inetd or xinetd. But by the same token, ssh is a security application, and running it through inetd potentially reduces its security effectiveness by introducing code which isn't of the same standard as sshd. Compare all security vulnerabilities in sshd with all security vulnerabilities in inetd. Now, would you prefer to have only the vulnerabilities in sshd present, or both sshd AND inetd?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030919030951.GJ527>