On Fri, May 12, 2006 at 11:35:41AM -0500, Eric Schuele wrote:
> Hello,
> I run sshd and ftpd on my laptop.  I generally start them via:
>   sshd_enable="YES"
>   ftpd_enable="YES"
> in my rc.conf.
> What are the pros/cons of running them via inetd?
> This is in no way a high load or production machine.  Just my laptop
> that I need access to from time to time.
> The one pro I have noticed (which is rather important to me) is that
> ftpd does not heed hosts.allow directives when NOT run via inetd.  Am I
> correct in this?  I prefer to use tcpwrappers to further protect my sshd 
> and ftpd.  I generally keep ftpd firewalled off from the world and when 
> someone needs to (anonymous) ftp something to me I open the firewall. 
> But it would be nice to allow only their IP using hosts.allow (as I just 
> enable/disable a generic ruleset in ipfw).  So should I forget to 
> disable the ruleset in ipfw then I am not open all day till I reboot.

When sshd starts, it needs to generate keys and set up its cryptographic
environment, so you will notice a bit of lag before getting a login
prompt.  This may or may not mean anything to you, depending on how
beefy your laptop is.

Check man sshd for the -i option.

sshd should, by default, be compiled with tcpwrappers support anyway.
You can test whether this is the case by putting something like this at
the top of your hosts.allow:

sshd : : deny

and then try connecting on the loopback interface.  If you see `refused
connect from localhost' in your /var/log/auth.log, then your sshd uses
hosts.allow and running it from inetd won't give you any benefit.

I don't know about ftpd, as I don't use it.


Daniel Bye

PGP Key: http://www.slightlystrange.org/pgpkey-dan.asc
PGP Key fingerprint: D349 B109 0EB8 2554 4D75  B79A 8B17 F97C 1622 166A
                                              ASCII ribbon campaign ( )
                                         - against HTML, vCards and  X
                                - proprietary attachments in e-mail / \

Attachment: pgp2yiLidkKmK.pgp
Description: PGP signature

Reply via email to