Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh

From: Jason Stone (freebsd-security_at_dfmm.org)
Date: 09/19/03

Next message: David G. Andersen: "Re: [Fwd: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh]"

Previous message: Devon H. O'Dell: "[Fwd: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh]"
In reply to: Scott Gerhardt: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
Next in thread: Avleen Vig: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 18 Sep 2003 18:33:31 -0700 (PDT)
To: freebsd-security@freebsd.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Advantages to using inetd include connection count limiting,
> connection rate limiting, tcp_wrappers, address binding, and
> simplicity (KIS), among others.
>
> Back when ssh was originally developed, in the days of 50Mhz
> processors, key generation time made running sshd out of inetd slow.
> For the past several years, however, this has not been an issue.
> Why FreeBSd's default installation still uses a legacy stand-alone
> ssh daemon is a question many systems administrators are asking.

Uh, you've got it backwards dude - inetd was developed way way back in the
day, when having a separate telnetd, ftpd, etc all running all the time
consumed too many resources. Most modern daemons (sshd, apache, bind,
dhcpd, etc) all run as standalones - the ones that still want inetd are
stuff like talkd, fingerd, uucpd - ie, the daemons that no one runs
anymore.

And how is having two daemons (inetd and sshd), each with their own config
files and implementation bogosities _simpler_ that just the one? Uh, I
could run inetd _and_ sshd, or just sshd - hmm, which do I think is
simpler...? And sshd has all the "advantages of inetd" which you mention.

- From a security standpoint, I really think that inetd outght not be used.
It's an additional root-running source of complexity and potential bugs,
and it is almost never necesary.

-Jason

--------------------------------------------------------------------------
Freud himself was a bit of a cold fish, and one cannot avoid the suspicion
that he was insufficiently fondled when he was an infant.
-- Ashley Montagu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE/alzsswXMWWtptckRAn7BAJ9L+V4XAgaJCe3cIm40k34RXdkRXQCg1RXm
u20B+ZxFFSMyNH2OAnuK3X4=
=9Dxo
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Next message: David G. Andersen: "Re: [Fwd: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh]"

Previous message: Devon H. O'Dell: "[Fwd: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh]"
In reply to: Scott Gerhardt: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
Next in thread: Avleen Vig: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]