"Todd A. Jacobs" wrote:
> The benefits are:
> * You can take advantage of advanced features of inetd, such as
> custom logging and process limits.
Oh! I hadn't realized that sshd doesn't have a built in mechanism to
limit the number of children. How awful... At the same time, inetd
doesn't limit the number of clients that can connect, only the rate at
which they connect. Are the openssh programmers going for strict
compatibility with ssh? Or do they plan any enhancements? The right
way to do this would definitely include a limit on the number of
clients.
> * You aren't vulnerable to attacks from untrusted hosts. The
> recent exploit against ssh with RSAREF would be much harder to exploit if
> port 22 doesn't even connect to ssh until AFTER inetd authorizes and logs
> the connection.
Inetd doesn't authorize the connection, tcpd does. Regardless, unless
I'm missing something, the host will be authorized by tcp_wrappers
interally before any data is exchanged. So, there isn't any difference
between running as a server, or running under tcpd.
MSG
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
