On Mon, 10 Jan 2000, Gordon Messmer wrote:
> "Todd A. Jacobs" wrote:
> > The benefits are:
> > * You can take advantage of advanced features of inetd, such as
> > custom logging and process limits.
>
> Oh! I hadn't realized that sshd doesn't have a built in mechanism to
> limit the number of children. How awful... At the same time, inetd
> doesn't limit the number of clients that can connect, only the rate at
> which they connect. Are the openssh programmers going for strict
> compatibility with ssh? Or do they plan any enhancements? The right
> way to do this would definitely include a limit on the number of
> clients.
>
> > * You aren't vulnerable to attacks from untrusted hosts. The
> > recent exploit against ssh with RSAREF would be much harder to exploit if
> > port 22 doesn't even connect to ssh until AFTER inetd authorizes and logs
> > the connection.
>
> Inetd doesn't authorize the connection, tcpd does. Regardless, unless
> I'm missing something, the host will be authorized by tcp_wrappers
> interally before any data is exchanged. So, there isn't any difference
> between running as a server, or running under tcpd.
>
You have to make sure ssh was compiled with libwrap support, but otherwise
you are correct.
I'd rather run sshd standalone, if inetd dies for some reason you won't be
able to get in to fix it...:)
Bill Carlson
------------
Systems Programmer [EMAIL PROTECTED] | Opinions are mine,
Virtual Hospital http://www.vh.org/ | not my employer's.
University of Iowa Hospitals and Clinics |
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
