Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh

From: Bruce M Simpson (bms_at_spc.org)
Date: 09/19/03

  • Next message: Bruce M Simpson: "Questionable merits of inetd replacements"
    Date: Fri, 19 Sep 2003 01:19:51 +0100
    To: Avleen Vig <lists-freebsd@silverwraith.com>
    
    

    On Thu, Sep 18, 2003 at 04:18:11PM -0700, Avleen Vig wrote:
    > On Thu, Sep 18, 2003 at 12:21:35PM -0700, Roger Marquis wrote:
    > > Why FreeBSd's default installation still uses a legacy stand-alone
    > > ssh daemon is a question many systems administrators are asking.
    >
    > I'm certainly not one of those systems administrators.
    > I manage > 700 systems on a daily basis (not alone, obviosuly, and not
    > all FreeBSD).
    > I don't want one service (ssh) being dependant on anoyher service
    > (inetd). This is bad system design.

    When you run out of inetd to service a single connection, you have to
    generate a new ephemeral key for every ssh instance. This is a needless
    waste of precious entropy from /dev/random.

    I think running sshd out of inetd is a very bad idea indeed, unless
    Mr Marquis is willing to stay in my datacenter and hammer the keys like
    a monkey all day, but even then that might be a poor source of entropy.

    BMS
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Bruce M Simpson: "Questionable merits of inetd replacements"

    Relevant Pages

    • Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh
      ... key generation time made running sshd out of inetd slow. ... > ssh daemon is a question many systems administrators are asking. ... I'm certainly not one of those systems administrators. ... I don't want one service being dependant on anoyher service ...
      (FreeBSD-Security)
    • Re: Restarting init without rebooting
      ... The default in the new installs is not to run inetd on startup. ... A word of advice that I found on a Linux system that uses ... did NOT run it from xinetd. ... I was able to ssh into the system and found xinetd wasn't running. ...
      (comp.unix.bsd.freebsd.misc)
    • Re: Re: inetd.conf missing?
      ... but as I understand inetd its the service ... that controls any network service (ie ssh). ...
      (Ubuntu)
    • Re: ssh dropping
      ... It runs separate from inetd. ... all ssh sessions are dropped. ... Even when inetd dies (I've seen it die, ... The fact that your connections remain when inetd dies (I assume you are ...
      (comp.security.ssh)
    • Re: ssh dropping
      ... It runs separate from inetd. ... all ssh sessions are dropped. ... Even when inetd dies (I've seen it die, ... The fact that your connections remain when inetd dies (I assume you are ...
      (comp.security.ssh)