FreeBSD Security Advisory FreeBSD-SA-03:12.openssh
Roger Marquis
marquis at roble.com
Thu Sep 18 20:14:54 PDT 2003
On Thu, 18 Sep 2003, Avleen Vig wrote:
> On Thu, Sep 18, 2003 at 06:07:10PM -0700, Roger Marquis wrote:
> > Duplicating inetd's features increases the total code, increases
> > its complexity, and reduces overall security. Sshd doesn't need
> > to know how to run as a daemon. That code is already in inetd.
> > Sshd also doesn't need to duplicate the connection limiting, process
> > limiting, and tcp_wrappers already built into inetd. This is why
> > all modern unix systems have inetd or xinetd.
>
> ...
> Compare all security vulnerabilities in sshd with all security
> vulnerabilities in inetd.
> Now, would you prefer to have only the vulnerabilities in sshd present,
> or both sshd AND inetd?
Which is why you wouldn't run sshd out of inetd on a server that
wasn't already running an inetd. Running sshd as a daemon on a
system that's already running inetd IS your second scenario.
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
More information about the freebsd-security
mailing list