From owner-freebsd-security  Mon Sep 14 10:06:23 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA06521
          for freebsd-security-outgoing; Mon, 14 Sep 1998 10:06:23 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id KAA06502
          for <freebsd-security@FreeBSD.ORG>; Mon, 14 Sep 1998 10:06:15 -0700 (PDT)
          (envelope-from sthaug@nethelp.no)
From: sthaug@nethelp.no
Received: (qmail 4811 invoked by uid 1001); 14 Sep 1998 17:05:57 +0000 (GMT)
To: marquis@roble.com
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: sshd
In-Reply-To: Your message of "Mon, 14 Sep 1998 09:02:30 -0700 (PDT)"
References: <Pine.SUN.3.96.980914085125.27468B-100000@roble.com>
X-Mailer: Mew version 1.05+ on Emacs 19.34.2
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Date: Mon, 14 Sep 1998 19:05:57 +0200
Message-ID: <4809.905792757@verdi.nethelp.no>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> The real issue, it seems to me, is consistency.  If ftp, telnet, rsh,
> rlogin, etc. run from inetd then sshd should also.  The original reason it
> wasn't is the key generation delay, which isn't an issue on anything
> faster than a 486/25.

That may be the real issue for you - not necessarily for everybody. Also,
the key generation delay is certainly measurable. Running "ssh host date"
between two P-166 machines:

- sshd running as daemon: 1 - 1.2 seconds
- sshd running from inetd: 4 - 5 seconds

That difference may not be significant for a long term login session, but
could easily be significant for rsh type use.

Myself, I have turned off most services in /etc/inetd.conf. The fewer
services that run, the fewer possible holes. I *definitely* don't run rsh
and rlogin. For high security situations I recommend against using the
standard inetd - better to use for instance Marcus Ranum's mini-inetd
(79 lines) where you can more easily convince yourself that the code does
what you want.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message