CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups

to 10:30:100 (closes: #700102).
author: Colin Watson <cjwatson@debian.org> 2013-02-08 21:07:09 +0000
committer: Colin Watson <cjwatson@debian.org> 2013-02-08 21:07:09 +0000
commit: 57beeaa6b23799ef7986a16bfc81b2de84a00aa8 (patch)
tree: 90c4d4dc1553b0a9d92004a353ec6ec216cd92b6
parent: 1327f52870f5b4bc5b1b34d4ead9bedd9998b609 (diff)
6 files changed, 65 insertions, 5 deletions
diff --git a/debian/changelog b/debian/changelog
index 0941e5d15..7128dfccf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ openssh (1:6.1p1-3) UNRELEASED; urgency=low
  * Give ssh and ssh-krb5 versioned dependencies on openssh-client and
    openssh-server, to try to reduce confusion when people run 'apt-get
    install ssh' or similar and expect that to upgrade everything relevant.
+  * CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups
+    to 10:30:100 (closes: #700102).
 -- Colin Watson <cjwatson@debian.org>  Wed, 19 Dec 2012 10:50:33 +0000
diff --git a/debian/patches/max-startups-default.patch b/debian/patches/max-startups-default.patch
new file mode 100644
index 000000000..87e690bd1
--- /dev/null
+++ b/debian/patches/max-startups-default.patch
@@ -0,0 +1,57 @@
+Description: Change default of MaxStartups to 10:30:100
+ This causes sshd to start doing random early drop at 10 connections up to
+ 100 connections.  This will make it harder to DoS as CPUs have come a long
+ way since the original value was set back in 2000.
+Author: Darren Tucker
+Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234
+Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
+Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
+Bug-Debian: http://bugs.debian.org/700102
+Forwarded: not-needed
+Last-Update: 2013-02-08
+Index: b/servconf.c
+===================================================================
+--- a/servconf.c
+++ b/servconf.c
+@@ -264,11 +264,11 @@
+        if (options->gateway_ports == -1)
+                options->gateway_ports = 0;
+        if (options->max_startups == -1)
+-               options->max_startups = 10;
+               options->max_startups = 100;
+        if (options->max_startups_rate == -1)
+-               options->max_startups_rate = 100;               /* 100% */
+               options->max_startups_rate = 30;                /* 30% */
+        if (options->max_startups_begin == -1)
+-               options->max_startups_begin = options->max_startups;
+               options->max_startups_begin = 10;
+        if (options->max_authtries == -1)
+                options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
+        if (options->max_sessions == -1)
+Index: b/sshd_config
+===================================================================
+--- a/sshd_config
+++ b/sshd_config
+@@ -108,7 +108,7 @@
+ #ClientAliveCountMax 3
+ #UseDNS yes
+ #PidFile /var/run/sshd.pid
+-#MaxStartups 10
+#MaxStartups 10:30:100
+ #PermitTunnel no
+ #ChrootDirectory none
+ #VersionAddendum none
+Index: b/sshd_config.5
+===================================================================
+--- a/sshd_config.5
+++ b/sshd_config.5
+@@ -781,7 +781,7 @@
+ Additional connections will be dropped until authentication succeeds or the
+ .Cm LoginGraceTime
+ expires for a connection.
+-The default is 10.
+The default is 10:30:100.
+ .Pp
+ Alternatively, random early drop can be enabled by specifying
+ the three colon separated values
diff --git a/debian/patches/series b/debian/patches/series
index cb6be9a28..efb2c5432 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,6 +27,7 @@ shell-path.patch
 dnssec-sshfp.patch
 auth-log-verbosity.patch
 mention-ssh-keygen-on-keychange.patch
+max-startups-default.patch
 # Versioning
 package-versioning.patch
diff --git a/servconf.c b/servconf.c
index 5b8c686c2..9a8822938 100644
--- a/servconf.c
+++ b/servconf.c
@@ -265,11 +265,11 @@ fill_default_server_options(ServerOptions *options)
        if (options->gateway_ports == -1)
                options->gateway_ports = 0;
        if (options->max_startups == -1)
-                options->max_startups = 10;
+                options->max_startups = 100;
        if (options->max_startups_rate == -1)
-                options->max_startups_rate = 100;               /* 100% */
+                options->max_startups_rate = 30;                /* 30% */
        if (options->max_startups_begin == -1)
-                options->max_startups_begin = options->max_startups;
+                options->max_startups_begin = 10;
        if (options->max_authtries == -1)
                options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
        if (options->max_sessions == -1)
diff --git a/sshd_config b/sshd_config
index 2523015de..3ea8e2efc 100644
--- a/sshd_config
+++ b/sshd_config
@@ -109,7 +109,7 @@ UsePrivilegeSeparation sandbox		# Default for new installations.
 #ClientAliveCountMax 3
 #UseDNS yes
 #PidFile /var/run/sshd.pid
-#MaxStartups 10
+#MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
 #VersionAddendum none
diff --git a/sshd_config.5 b/sshd_config.5
index 22e7edc94..de2b776fd 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -812,7 +812,7 @@ SSH daemon.
 Additional connections will be dropped until authentication succeeds or the
 .Cm LoginGraceTime
 expires for a connection.
-The default is 10.
+The default is 10:30:100.
 .Pp
 Alternatively, random early drop can be enabled by specifying
 the three colon separated values
author	Colin Watson <cjwatson@debian.org>	2013-02-08 21:07:09 +0000
committer	Colin Watson <cjwatson@debian.org>	2013-02-08 21:07:09 +0000
commit	57beeaa6b23799ef7986a16bfc81b2de84a00aa8 (patch)
tree	90c4d4dc1553b0a9d92004a353ec6ec216cd92b6
parent	1327f52870f5b4bc5b1b34d4ead9bedd9998b609 (diff)

diff --git a/debian/changelog b/debian/changelog index 0941e5d15..7128dfccf 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -3,6 +3,8 @@ openssh (1:6.1p1-3) UNRELEASED; urgency=low
3	* Give ssh and ssh-krb5 versioned dependencies on openssh-client and	3	* Give ssh and ssh-krb5 versioned dependencies on openssh-client and
4	openssh-server, to try to reduce confusion when people run 'apt-get	4	openssh-server, to try to reduce confusion when people run 'apt-get
5	install ssh' or similar and expect that to upgrade everything relevant.	5	install ssh' or similar and expect that to upgrade everything relevant.
		6	* CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups
		7	to 10:30:100 (closes: #700102).
6		8
7	-- Colin Watson <cjwatson@debian.org> Wed, 19 Dec 2012 10:50:33 +0000	9	-- Colin Watson <cjwatson@debian.org> Wed, 19 Dec 2012 10:50:33 +0000
8		10


diff --git a/debian/patches/max-startups-default.patch b/debian/patches/max-startups-default.patch new file mode 100644 index 000000000..87e690bd1 --- /dev/null +++ b/debian/patches/max-startups-default.patch
@@ -0,0 +1,57 @@
		1	Description: Change default of MaxStartups to 10:30:100
		2	This causes sshd to start doing random early drop at 10 connections up to
		3	100 connections. This will make it harder to DoS as CPUs have come a long
		4	way since the original value was set back in 2000.
		5	Author: Darren Tucker
		6	Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234
		7	Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
		8	Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
		9	Bug-Debian: http://bugs.debian.org/700102
		10	Forwarded: not-needed
		11	Last-Update: 2013-02-08
		12
		13	Index: b/servconf.c
		14	===================================================================
		15	--- a/servconf.c
		16	+++ b/servconf.c
		17	@@ -264,11 +264,11 @@
		18	if (options->gateway_ports == -1)
		19	options->gateway_ports = 0;
		20	if (options->max_startups == -1)
		21	- options->max_startups = 10;
		22	+ options->max_startups = 100;
		23	if (options->max_startups_rate == -1)
		24	- options->max_startups_rate = 100; /* 100% */
		25	+ options->max_startups_rate = 30; /* 30% */
		26	if (options->max_startups_begin == -1)
		27	- options->max_startups_begin = options->max_startups;
		28	+ options->max_startups_begin = 10;
		29	if (options->max_authtries == -1)
		30	options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
		31	if (options->max_sessions == -1)
		32	Index: b/sshd_config
		33	===================================================================
		34	--- a/sshd_config
		35	+++ b/sshd_config
		36	@@ -108,7 +108,7 @@
		37	#ClientAliveCountMax 3
		38	#UseDNS yes
		39	#PidFile /var/run/sshd.pid
		40	-#MaxStartups 10
		41	+#MaxStartups 10:30:100
		42	#PermitTunnel no
		43	#ChrootDirectory none
		44	#VersionAddendum none
		45	Index: b/sshd_config.5
		46	===================================================================
		47	--- a/sshd_config.5
		48	+++ b/sshd_config.5
		49	@@ -781,7 +781,7 @@
		50	Additional connections will be dropped until authentication succeeds or the
		51	.Cm LoginGraceTime
		52	expires for a connection.
		53	-The default is 10.
		54	+The default is 10:30:100.
		55	.Pp
		56	Alternatively, random early drop can be enabled by specifying
		57	the three colon separated values


diff --git a/debian/patches/series b/debian/patches/series index cb6be9a28..efb2c5432 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -27,6 +27,7 @@ shell-path.patch
27	dnssec-sshfp.patch	27	dnssec-sshfp.patch
28	auth-log-verbosity.patch	28	auth-log-verbosity.patch
29	mention-ssh-keygen-on-keychange.patch	29	mention-ssh-keygen-on-keychange.patch
		30	max-startups-default.patch
30		31
31	# Versioning	32	# Versioning
32	package-versioning.patch	33	package-versioning.patch


diff --git a/servconf.c b/servconf.c index 5b8c686c2..9a8822938 100644 --- a/servconf.c +++ b/servconf.c
@@ -265,11 +265,11 @@ fill_default_server_options(ServerOptions *options)
265	if (options->gateway_ports == -1)	265	if (options->gateway_ports == -1)
266	options->gateway_ports = 0;	266	options->gateway_ports = 0;
267	if (options->max_startups == -1)	267	if (options->max_startups == -1)
268	options->max_startups = 10;	268	options->max_startups = 100;
269	if (options->max_startups_rate == -1)	269	if (options->max_startups_rate == -1)
270	options->max_startups_rate = 100; /* 100% */	270	options->max_startups_rate = 30; /* 30% */
271	if (options->max_startups_begin == -1)	271	if (options->max_startups_begin == -1)
272	options->max_startups_begin = options->max_startups;	272	options->max_startups_begin = 10;
273	if (options->max_authtries == -1)	273	if (options->max_authtries == -1)
274	options->max_authtries = DEFAULT_AUTH_FAIL_MAX;	274	options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
275	if (options->max_sessions == -1)	275	if (options->max_sessions == -1)


diff --git a/sshd_config b/sshd_config index 2523015de..3ea8e2efc 100644 --- a/sshd_config +++ b/sshd_config
@@ -109,7 +109,7 @@ UsePrivilegeSeparation sandbox # Default for new installations.
109	#ClientAliveCountMax 3	109	#ClientAliveCountMax 3
110	#UseDNS yes	110	#UseDNS yes
111	#PidFile /var/run/sshd.pid	111	#PidFile /var/run/sshd.pid
112	#MaxStartups 10	112	#MaxStartups 10:30:100
113	#PermitTunnel no	113	#PermitTunnel no
114	#ChrootDirectory none	114	#ChrootDirectory none
115	#VersionAddendum none	115	#VersionAddendum none


diff --git a/sshd_config.5 b/sshd_config.5 index 22e7edc94..de2b776fd 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -812,7 +812,7 @@ SSH daemon.
812	Additional connections will be dropped until authentication succeeds or the	812	Additional connections will be dropped until authentication succeeds or the
813	.Cm LoginGraceTime	813	.Cm LoginGraceTime
814	expires for a connection.	814	expires for a connection.
815	The default is 10.	815	The default is 10:30:100.
816	.Pp	816	.Pp
817	Alternatively, random early drop can be enabled by specifying	817	Alternatively, random early drop can be enabled by specifying
818	the three colon separated values	818	the three colon separated values