[svlug] deny ssh

John Conover conover at rahul.net
Tue Nov 27 03:50:01 PST 2001


Well, like I said, it depends on how anal you want to be. The folks at
ssh say it is wise to regenerate the key for each instance, since it
is more secure-a cracked key will only lose one process. But it does
take more resources-but if run under tcpserver, tcpserver will
throttle the DoS.

Depending on who is telling the story, of course.

	John

Jeffrey Siegal writes:
> While it is possible to run sshd under inetd (or an inetd replacement),
> the protocol really isn't designed to work that way.  Upon startup sshd
> generates a server key, which consumes significant resources.  If
> started from inetd, sshd will have to generate a server key for every
> connection.  Not only does this slow down connections and increase
> resource use, but the high cost of an incomming connection makes a
> tempting target for a DoS attack (which can probably be blocked with
> appropriate inetd configuration, but still).
>

-- 

John Conover        Tel. 408.370.2688  conover at rahul.net
631 Lamont Ct.      Fax. 408.379.9602  http://www.johncon.com/
Campbell, CA 95008





More information about the svlug mailing list