I've been wondering about the 'sshd1 -i' option for calling from
inetd and specifically the man page reference to the lengthy key
generation process:
-i Specifies that sshd is being run from inetd. Sshd
is normally not run from inetd because it needs to
generate the server key before it can respond to
the client, and this may take tens of seconds.
Clients would have to wait too long if the key was
regenerated every time. However, with small key
sizes (e.g. 512) using sshd from inetd may be feas
sible.
A co-worker of mine tells me that he likes to run it from inetd because of
the added security of having a key generated each time.
Personally, I can't stand inetd and avoid it at all costs -- being a fan
of qmail, if I really had to run sshd1 -i then I would wrap it under
tcpserver and live with that. My hunch though is that generating the key
too often is actually a bad thing when you consider that most computers
don't have a good source of randomness. So generating keys too often will
actually help the attacker. Is that correct?
Comments appreciated. Are both issues (key generation and inetd/tcpserver)
moot points / insignificant? And the ability for sshd as a daemon on its
own to gracefully defer connections if there are too many, which I imagine
it does, plus any other issues there may be. Thanks.
Bottom of this page describes tcpserver vs inetd:
http://cr.yp.to/ucspi-tcp.html
