FreeBSD Security Advisory FreeBSD-SA-03:12.openssh
Scott Gerhardt
scott at g-it.ca
Thu Sep 18 12:27:56 PDT 2003
On 9/18/03 1:21 PM, "Roger Marquis" <marquis at roble.com> wrote:
>>>> This can be dangerous if you are ssh'ed in, and the restart kills your
>>>> connection rather than the daemon.
>>>
>>> All the restart target does is basically kill the pid using the pid file
>>> and then restart the daemon, so it is no more dangerous then the below.
>>
>> It's good that the FreeBSD script does not use 'killall' (for instance), but
>> not
>> every SysV sshd script is as sensible. Of course, if you argued that a NG
>> sshd
>> RC script might involve dependencies which affected other processes, you'd
>> have
>> a point. :-)
>
> None of these are problems when sshd is run from inetd. The only
> reasons not to run sshd out of inetd are A) if the server needs to
> initiate dozens of sessions per minute or B) if it's not running
> inetd.
>
> Advantages to using inetd include connection count limiting,
> connection rate limiting, tcp_wrappers, address binding, and
> simplicity (KIS), among others.
>
> Back when ssh was originally developed, in the days of 50Mhz
> processors, key generation time made running sshd out of inetd slow.
> For the past several years, however, this has not been an issue.
> Why FreeBSd's default installation still uses a legacy stand-alone
> ssh daemon is a question many systems administrators are asking.
Better Yet, what about using xinetd which is much more configurable and
robust. I am surprised that FreeBSD's default installation still uses inetd
instead of xinetd.
--
Scott Gerhardt, P.Geo.
Gerhardt Information Technologies [G-IT]
More information about the freebsd-security
mailing list