Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh

From: Bruce M Simpson (bms_at_spc.org)
Date: 09/19/03

Next message: Bruce M Simpson: "Questionable merits of inetd replacements"

Previous message: Avleen Vig: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
In reply to: Avleen Vig: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
Next in thread: Roger Marquis: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
Reply: Roger Marquis: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 19 Sep 2003 01:19:51 +0100
To: Avleen Vig <lists-freebsd@silverwraith.com>

On Thu, Sep 18, 2003 at 04:18:11PM -0700, Avleen Vig wrote:
> On Thu, Sep 18, 2003 at 12:21:35PM -0700, Roger Marquis wrote:
> > Why FreeBSd's default installation still uses a legacy stand-alone
> > ssh daemon is a question many systems administrators are asking.
>
> I'm certainly not one of those systems administrators.
> I manage > 700 systems on a daily basis (not alone, obviosuly, and not
> all FreeBSD).
> I don't want one service (ssh) being dependant on anoyher service
> (inetd). This is bad system design.

When you run out of inetd to service a single connection, you have to
generate a new ephemeral key for every ssh instance. This is a needless
waste of precious entropy from /dev/random.

I think running sshd out of inetd is a very bad idea indeed, unless
Mr Marquis is willing to stay in my datacenter and hammer the keys like
a monkey all day, but even then that might be a poor source of entropy.

BMS
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Next message: Bruce M Simpson: "Questionable merits of inetd replacements"

Previous message: Avleen Vig: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
In reply to: Avleen Vig: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
Next in thread: Roger Marquis: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
Reply: Roger Marquis: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh
... key generation time made running sshd out of inetd slow. ... > ssh daemon is a question many systems administrators are asking. ... I'm certainly not one of those systems administrators. ... I don't want one service being dependant on anoyher service ...
(FreeBSD-Security)
Re: Restarting init without rebooting
... The default in the new installs is not to run inetd on startup. ... A word of advice that I found on a Linux system that uses ... did NOT run it from xinetd. ... I was able to ssh into the system and found xinetd wasn't running. ...
(comp.unix.bsd.freebsd.misc)
Re: Re: inetd.conf missing?
... but as I understand inetd its the service ... that controls any network service (ie ssh). ...
(Ubuntu)
Re: ssh dropping
... It runs separate from inetd. ... all ssh sessions are dropped. ... Even when inetd dies (I've seen it die, ... The fact that your connections remain when inetd dies (I assume you are ...
(comp.security.ssh)
Re: ssh dropping
... It runs separate from inetd. ... all ssh sessions are dropped. ... Even when inetd dies (I've seen it die, ... The fact that your connections remain when inetd dies (I assume you are ...
(comp.security.ssh)