From owner-freebsd-security@FreeBSD.ORG  Thu Sep 18 20:09:53 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1157716A4B3
	for <freebsd-security@freebsd.org>;
	Thu, 18 Sep 2003 20:09:53 -0700 (PDT)
Received: from mail.silverwraith.com (66-214-182-79.la-cbi.charterpipeline.net
	[66.214.182.79])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6088B43F85
	for <freebsd-security@freebsd.org>;
	Thu, 18 Sep 2003 20:09:52 -0700 (PDT)
	(envelope-from avleen@silverwraith.com)
Received: from avleen by mail.silverwraith.com with local (Exim 4.20)
	id 1A0BeZ-000Kq4-GE; Thu, 18 Sep 2003 20:09:51 -0700
Date: Thu, 18 Sep 2003 20:09:51 -0700
From: Avleen Vig <lists-freebsd@silverwraith.com>
To: Roger Marquis <marquis@roble.com>
Message-ID: <20030919030951.GJ527@silverwraith.com>
References: <20030918192135.744AADACAF@mx7.roble.com>
	<20030918231811.GE527@silverwraith.com>
	<20030919010710.D0BA3DACBD@mx7.roble.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030919010710.D0BA3DACBD@mx7.roble.com>
User-Agent: Mutt/1.5.4i
Sender: Avleen Vig <avleen@silverwraith.com>
cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Sep 2003 03:09:53 -0000

On Thu, Sep 18, 2003 at 06:07:10PM -0700, Roger Marquis wrote:
> Duplicating inetd's features increases the total code, increases
> its complexity, and reduces overall security.  Sshd doesn't need
> to know how to run as a daemon.  That code is already in inetd.
> Sshd also doesn't need to duplicate the connection limiting, process
> limiting, and tcp_wrappers already built into inetd.  This is why
> all modern unix systems have inetd or xinetd.

But by the same token, ssh is a security application, and running it
through inetd potentially reduces its security effectiveness by
introducing code which isn't of the same standard as sshd.

Compare all security vulnerabilities in sshd with all security
vulnerabilities in inetd.
Now, would you prefer to have only the vulnerabilities in sshd present,
or both sshd AND inetd?