From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 18:07:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B9EE16A4B3 for ; Thu, 18 Sep 2003 18:07:11 -0700 (PDT) Received: from mx7.roble.com (mx7.roble.com [206.40.34.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B99043F75 for ; Thu, 18 Sep 2003 18:07:11 -0700 (PDT) (envelope-from marquis@roble.com) Date: Thu, 18 Sep 2003 18:07:10 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20030918231811.GE527@silverwraith.com> References: <20030918192135.744AADACAF@mx7.roble.com> <20030918231811.GE527@silverwraith.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: <20030919010710.D0BA3DACBD@mx7.roble.com> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 01:07:11 -0000 > I don't want one service (ssh) being dependant on anoyher service > (inetd). This is bad system design. Inetd was designed for processes exactly like ssh, processes that are not generating connections continuously like sendmail, apache, or named. Duplicating inetd's features increases the total code, increases its complexity, and reduces overall security. Sshd doesn't need to know how to run as a daemon. That code is already in inetd. Sshd also doesn't need to duplicate the connection limiting, process limiting, and tcp_wrappers already built into inetd. This is why all modern unix systems have inetd or xinetd. -- Roger Marquis Roble Systems Consulting http://www.roble.com/