FreeBSD Security Advisory FreeBSD-SA-03:12.openssh

Jason Stone freebsd-security at dfmm.org
Thu Sep 18 18:33:33 PDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> Advantages to using inetd include connection count limiting,
> connection rate limiting, tcp_wrappers, address binding, and
> simplicity (KIS), among others.
>
> Back when ssh was originally developed, in the days of 50Mhz
> processors, key generation time made running sshd out of inetd slow.
> For the past several years, however, this has not been an issue.
> Why FreeBSd's default installation still uses a legacy stand-alone
> ssh daemon is a question many systems administrators are asking.

Uh, you've got it backwards dude - inetd was developed way way back in the
day, when having a separate telnetd, ftpd, etc all running all the time
consumed too many resources.  Most modern daemons (sshd, apache, bind,
dhcpd, etc) all run as standalones - the ones that still want inetd are
stuff like talkd, fingerd, uucpd - ie, the daemons that no one runs
anymore.

And how is having two daemons (inetd and sshd), each with their own config
files and implementation bogosities _simpler_ that just the one?  Uh, I
could run inetd _and_ sshd, or just sshd - hmm, which do I think is
simpler...?  And sshd has all the "advantages of inetd" which you mention.

- From a security standpoint, I really think that inetd outght not be used.
It's an additional root-running source of complexity and potential bugs,
and it is almost never necesary.


 -Jason

 --------------------------------------------------------------------------
 Freud himself was a bit of a cold fish, and one cannot avoid the suspicion
 that he was insufficiently fondled when he was an infant.
	-- Ashley Montagu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE/alzsswXMWWtptckRAn7BAJ9L+V4XAgaJCe3cIm40k34RXdkRXQCg1RXm
u20B+ZxFFSMyNH2OAnuK3X4=
=9Dxo
-----END PGP SIGNATURE-----


More information about the freebsd-security mailing list