FreeBSD Security Advisory FreeBSD-SA-03:12.openssh
Bruce M Simpson
bms at spc.org
Thu Sep 18 17:19:58 PDT 2003
On Thu, Sep 18, 2003 at 04:18:11PM -0700, Avleen Vig wrote:
> On Thu, Sep 18, 2003 at 12:21:35PM -0700, Roger Marquis wrote:
> > Why FreeBSd's default installation still uses a legacy stand-alone
> > ssh daemon is a question many systems administrators are asking.
>
> I'm certainly not one of those systems administrators.
> I manage > 700 systems on a daily basis (not alone, obviosuly, and not
> all FreeBSD).
> I don't want one service (ssh) being dependant on anoyher service
> (inetd). This is bad system design.
When you run out of inetd to service a single connection, you have to
generate a new ephemeral key for every ssh instance. This is a needless
waste of precious entropy from /dev/random.
I think running sshd out of inetd is a very bad idea indeed, unless
Mr Marquis is willing to stay in my datacenter and hammer the keys like
a monkey all day, but even then that might be a poor source of entropy.
BMS
More information about the freebsd-security
mailing list