From owner-freebsd-ports Sat Dec 25 13:50: 9 1999 Delivered-To: freebsd-ports@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id A8A0F14E24 for ; Sat, 25 Dec 1999 13:50:07 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id NAA43389; Sat, 25 Dec 1999 13:50:07 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id 497B414D6B; Sat, 25 Dec 1999 13:49:47 -0800 (PST) Message-Id: <19991225214947.497B414D6B@hub.freebsd.org> Date: Sat, 25 Dec 1999 13:49:47 -0800 (PST) From: marquis@roble.com To: freebsd-gnats-submit@freebsd.org X-Send-Pr-Version: www-1.0 Subject: ports/15691: Ssh ports fail to check inetd.conf before creating ../rc.d/sshd.sh Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 15691 >Category: ports >Synopsis: Ssh ports fail to check inetd.conf before creating ../rc.d/sshd.sh >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat Dec 25 13:50:01 PST 1999 >Closed-Date: >Last-Modified: >Originator: Roger Marquis >Release: any >Organization: Roble Systems >Environment: n/a >Description: All ssh ports to-date (/usr/ports/security/ssh*) assume that sshd will be running as a standalone daemon and fail to check whether sshd is started from inetd. Where there is both an inetd and a standalone daemon errors problems logging in from ssh clients can occur which can result in a denial of service or lock-out situation when "make install" is used to install the deamon on a system where it is already started from inetd. Yes, we've heard the recommendation not to run sshd from inetd.conf however where inetd is running it makes no sense not to use it. There's also a higher vulnerability to DOS attacks to a standalone sshd than to inetd. Finally, the time to generate a session key is effectively zero on systems faster than 250MHz. >How-To-Repeat: >Fix: fix the Makefile i.e., if [ "`grep ssh /etc/inetd.conf|grep -v ^#ssh`" = "" ]; then @if [ ! -f ${PREFIX}/etc/rc.d/sshd.sh ]; then \ ${ECHO} "Installing ${PREFIX}/etc/rc.d/sshd.sh startup file."; \ ${ECHO} "#!/bin/sh" > ${PREFIX}/etc/rc.d/sshd.sh; \ ${ECHO} "[ -x ${PREFIX}/sbin/sshd ] && ${PREFIX}/sbin/sshd && ${ECHO} -n ' sshd'" >> ${PREFIX}/etc/rc.d/sshd.sh; \ ${CHMOD} 751 ${PREFIX}/etc/rc.d/sshd.sh; \ fi fi >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message