Date: Thu, 18 Sep 2003 20:14:54 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: Avleen Vig <lists-freebsd@silverwraith.com> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh Message-ID: <20030919031454.20CD0DACAF@mx7.roble.com> In-Reply-To: <20030919030951.GJ527@silverwraith.com> References: <20030918192135.744AADACAF@mx7.roble.com> <20030918231811.GE527@silverwraith.com> <20030919030951.GJ527@silverwraith.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 18 Sep 2003, Avleen Vig wrote: > On Thu, Sep 18, 2003 at 06:07:10PM -0700, Roger Marquis wrote: > > Duplicating inetd's features increases the total code, increases > > its complexity, and reduces overall security. Sshd doesn't need > > to know how to run as a daemon. That code is already in inetd. > > Sshd also doesn't need to duplicate the connection limiting, process > > limiting, and tcp_wrappers already built into inetd. This is why > > all modern unix systems have inetd or xinetd. > > ... > Compare all security vulnerabilities in sshd with all security > vulnerabilities in inetd. > Now, would you prefer to have only the vulnerabilities in sshd present, > or both sshd AND inetd? Which is why you wouldn't run sshd out of inetd on a server that wasn't already running an inetd. Running sshd as a daemon on a system that's already running inetd IS your second scenario. -- Roger Marquis Roble Systems Consulting http://www.roble.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030919031454.20CD0DACAF>