Date: Thu, 18 Sep 2003 12:21:35 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh Message-ID: <20030918192135.744AADACAF@mx7.roble.com>
next in thread | raw e-mail | index | archive | help
>>>This can be dangerous if you are ssh'ed in, and the restart kills your >>>connection rather than the daemon. >> >> All the restart target does is basically kill the pid using the pid file >> and then restart the daemon, so it is no more dangerous then the below. > >It's good that the FreeBSD script does not use 'killall' (for instance), but not >every SysV sshd script is as sensible. Of course, if you argued that a NG sshd >RC script might involve dependencies which affected other processes, you'd have >a point. :-) None of these are problems when sshd is run from inetd. The only reasons not to run sshd out of inetd are A) if the server needs to initiate dozens of sessions per minute or B) if it's not running inetd. Advantages to using inetd include connection count limiting, connection rate limiting, tcp_wrappers, address binding, and simplicity (KIS), among others. Back when ssh was originally developed, in the days of 50Mhz processors, key generation time made running sshd out of inetd slow. For the past several years, however, this has not been an issue. Why FreeBSd's default installation still uses a legacy stand-alone ssh daemon is a question many systems administrators are asking. -- Roger Marquis Roble Systems Consulting http://www.roble.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030918192135.744AADACAF>