From owner-freebsd-security  Sat Sep 12 20:00:20 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id UAA11696
          for freebsd-security-outgoing; Sat, 12 Sep 1998 20:00:20 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from roble.com (roble.com [207.5.40.50])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA11691
          for <freebsd-security@FreeBSD.ORG>; Sat, 12 Sep 1998 20:00:18 -0700 (PDT)
          (envelope-from sendmail@roble.com)
Received: from localhost (localhost [127.0.0.1]) by roble.com (Roble) with SMTP id TAA21632 for <freebsd-security@FreeBSD.ORG>; Sat, 12 Sep 1998 19:59:58 -0700 (PDT)
Date: Sat, 12 Sep 1998 19:59:58 -0700 (PDT)
From: Roger Marquis <marquis@roble.com>
To: freebsd-security@FreeBSD.ORG
Subject: Re: sshd
In-Reply-To: <xzpbtokesgh.fsf@hvergelmir.ifi.uio.no>
Message-ID: <Pine.SUN.3.96.980912195112.21513A-100000@roble.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by hub.freebsd.org id UAA11692
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

If you're running inetd then it doesn't seem consistent to start
daemons that don't need to run all the time from startup scripts.
Inetd was designed to conserve memory.  If you have it why not use it?
/etc/inetd.conf is also a common place to implement access control (via
tcp_wrappers).

Other than that I've frequently run into situations where keepalives
had to be turned off.  In those cases ssh sessions invariably die and
their daemons have to be killed-off by hand (kill <PID>).  As it is
difficult to tell the original daemon from the child daemons it's also
easy to accidentally kill the parent.  If ssh is the only access you're
locked-out.  Easier and more consistent to use inetd where it's
available, IMHO and YMMV.

Roger Marquis
Roble Systems Consulting
http://www.roble.com/

On 13 Sep 1998, Dag-Erling [iso-8859-1] Coïdan[iso-8859-1] Smørgrav wrote:
> "Much more reliable"? What's more reliable than 100%? Have you ever
> experienced any problems running sshd from /usr/local/etc/rc.d/? I
> haven't, and *all* boxes I control rely entirely on ssh for remote
> access, and have inetd disabled.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message