From owner-freebsd-security@FreeBSD.ORG  Thu Sep 18 20:14:54 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CE24916A4B3
	for <freebsd-security@freebsd.org>;
	Thu, 18 Sep 2003 20:14:54 -0700 (PDT)
Received: from mx7.roble.com (mx7.roble.com [206.40.34.7])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5C7D243FDD
	for <freebsd-security@freebsd.org>;
	Thu, 18 Sep 2003 20:14:54 -0700 (PDT)
	(envelope-from marquis@roble.com)
Date: Thu, 18 Sep 2003 20:14:54 -0700 (PDT)
From: Roger Marquis <marquis@roble.com>
To: Avleen Vig <lists-freebsd@silverwraith.com>
In-Reply-To: <20030919030951.GJ527@silverwraith.com>
References: <20030918192135.744AADACAF@mx7.roble.com>
	<20030918231811.GE527@silverwraith.com>
	<20030919030951.GJ527@silverwraith.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <20030919031454.20CD0DACAF@mx7.roble.com>
cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Sep 2003 03:14:54 -0000

On Thu, 18 Sep 2003, Avleen Vig wrote:
> On Thu, Sep 18, 2003 at 06:07:10PM -0700, Roger Marquis wrote:
> > Duplicating inetd's features increases the total code, increases
> > its complexity, and reduces overall security.  Sshd doesn't need
> > to know how to run as a daemon.  That code is already in inetd.
> > Sshd also doesn't need to duplicate the connection limiting, process
> > limiting, and tcp_wrappers already built into inetd.  This is why
> > all modern unix systems have inetd or xinetd.
>
> ...
> Compare all security vulnerabilities in sshd with all security
> vulnerabilities in inetd.
> Now, would you prefer to have only the vulnerabilities in sshd present,
> or both sshd AND inetd?

Which is why you wouldn't run sshd out of inetd on a server that
wasn't already running an inetd.  Running sshd as a daemon on a
system that's already running inetd IS your second scenario.

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/