CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups

to 10:30:100 (closes: #700102).
author: Colin Watson <cjwatson@debian.org> 2013-02-08 21:07:09 +0000
committer: Colin Watson <cjwatson@debian.org> 2013-02-08 21:07:09 +0000
commit: 57beeaa6b23799ef7986a16bfc81b2de84a00aa8 (patch)
tree: 90c4d4dc1553b0a9d92004a353ec6ec216cd92b6 /debian
parent: 1327f52870f5b4bc5b1b34d4ead9bedd9998b609 (diff)
3 files changed, 60 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 0941e5d15..7128dfccf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ openssh (1:6.1p1-3) UNRELEASED; urgency=low
  * Give ssh and ssh-krb5 versioned dependencies on openssh-client and
    openssh-server, to try to reduce confusion when people run 'apt-get
    install ssh' or similar and expect that to upgrade everything relevant.
+  * CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups
+    to 10:30:100 (closes: #700102).
 -- Colin Watson <cjwatson@debian.org>  Wed, 19 Dec 2012 10:50:33 +0000
diff --git a/debian/patches/max-startups-default.patch b/debian/patches/max-startups-default.patch
new file mode 100644
index 000000000..87e690bd1
--- /dev/null
+++ b/debian/patches/max-startups-default.patch
@@ -0,0 +1,57 @@
+Description: Change default of MaxStartups to 10:30:100
+ This causes sshd to start doing random early drop at 10 connections up to
+ 100 connections.  This will make it harder to DoS as CPUs have come a long
+ way since the original value was set back in 2000.
+Author: Darren Tucker
+Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234
+Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
+Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
+Bug-Debian: http://bugs.debian.org/700102
+Forwarded: not-needed
+Last-Update: 2013-02-08
+Index: b/servconf.c
+===================================================================
+--- a/servconf.c
+++ b/servconf.c
+@@ -264,11 +264,11 @@
+        if (options->gateway_ports == -1)
+                options->gateway_ports = 0;
+        if (options->max_startups == -1)
+-               options->max_startups = 10;
+               options->max_startups = 100;
+        if (options->max_startups_rate == -1)
+-               options->max_startups_rate = 100;               /* 100% */
+               options->max_startups_rate = 30;                /* 30% */
+        if (options->max_startups_begin == -1)
+-               options->max_startups_begin = options->max_startups;
+               options->max_startups_begin = 10;
+        if (options->max_authtries == -1)
+                options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
+        if (options->max_sessions == -1)
+Index: b/sshd_config
+===================================================================
+--- a/sshd_config
+++ b/sshd_config
+@@ -108,7 +108,7 @@
+ #ClientAliveCountMax 3
+ #UseDNS yes
+ #PidFile /var/run/sshd.pid
+-#MaxStartups 10
+#MaxStartups 10:30:100
+ #PermitTunnel no
+ #ChrootDirectory none
+ #VersionAddendum none
+Index: b/sshd_config.5
+===================================================================
+--- a/sshd_config.5
+++ b/sshd_config.5
+@@ -781,7 +781,7 @@
+ Additional connections will be dropped until authentication succeeds or the
+ .Cm LoginGraceTime
+ expires for a connection.
+-The default is 10.
+The default is 10:30:100.
+ .Pp
+ Alternatively, random early drop can be enabled by specifying
+ the three colon separated values
diff --git a/debian/patches/series b/debian/patches/series
index cb6be9a28..efb2c5432 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,6 +27,7 @@ shell-path.patch
 dnssec-sshfp.patch
 auth-log-verbosity.patch
 mention-ssh-keygen-on-keychange.patch
+max-startups-default.patch
 # Versioning
 package-versioning.patch
author	Colin Watson <cjwatson@debian.org>	2013-02-08 21:07:09 +0000
committer	Colin Watson <cjwatson@debian.org>	2013-02-08 21:07:09 +0000
commit	57beeaa6b23799ef7986a16bfc81b2de84a00aa8 (patch)
tree	90c4d4dc1553b0a9d92004a353ec6ec216cd92b6 /debian
parent	1327f52870f5b4bc5b1b34d4ead9bedd9998b609 (diff)

diff --git a/debian/changelog b/debian/changelog index 0941e5d15..7128dfccf 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -3,6 +3,8 @@ openssh (1:6.1p1-3) UNRELEASED; urgency=low
3	* Give ssh and ssh-krb5 versioned dependencies on openssh-client and	3	* Give ssh and ssh-krb5 versioned dependencies on openssh-client and
4	openssh-server, to try to reduce confusion when people run 'apt-get	4	openssh-server, to try to reduce confusion when people run 'apt-get
5	install ssh' or similar and expect that to upgrade everything relevant.	5	install ssh' or similar and expect that to upgrade everything relevant.
		6	* CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups
		7	to 10:30:100 (closes: #700102).
6		8
7	-- Colin Watson <cjwatson@debian.org> Wed, 19 Dec 2012 10:50:33 +0000	9	-- Colin Watson <cjwatson@debian.org> Wed, 19 Dec 2012 10:50:33 +0000
8		10


diff --git a/debian/patches/max-startups-default.patch b/debian/patches/max-startups-default.patch new file mode 100644 index 000000000..87e690bd1 --- /dev/null +++ b/debian/patches/max-startups-default.patch
@@ -0,0 +1,57 @@
		1	Description: Change default of MaxStartups to 10:30:100
		2	This causes sshd to start doing random early drop at 10 connections up to
		3	100 connections. This will make it harder to DoS as CPUs have come a long
		4	way since the original value was set back in 2000.
		5	Author: Darren Tucker
		6	Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234
		7	Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
		8	Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
		9	Bug-Debian: http://bugs.debian.org/700102
		10	Forwarded: not-needed
		11	Last-Update: 2013-02-08
		12
		13	Index: b/servconf.c
		14	===================================================================
		15	--- a/servconf.c
		16	+++ b/servconf.c
		17	@@ -264,11 +264,11 @@
		18	if (options->gateway_ports == -1)
		19	options->gateway_ports = 0;
		20	if (options->max_startups == -1)
		21	- options->max_startups = 10;
		22	+ options->max_startups = 100;
		23	if (options->max_startups_rate == -1)
		24	- options->max_startups_rate = 100; /* 100% */
		25	+ options->max_startups_rate = 30; /* 30% */
		26	if (options->max_startups_begin == -1)
		27	- options->max_startups_begin = options->max_startups;
		28	+ options->max_startups_begin = 10;
		29	if (options->max_authtries == -1)
		30	options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
		31	if (options->max_sessions == -1)
		32	Index: b/sshd_config
		33	===================================================================
		34	--- a/sshd_config
		35	+++ b/sshd_config
		36	@@ -108,7 +108,7 @@
		37	#ClientAliveCountMax 3
		38	#UseDNS yes
		39	#PidFile /var/run/sshd.pid
		40	-#MaxStartups 10
		41	+#MaxStartups 10:30:100
		42	#PermitTunnel no
		43	#ChrootDirectory none
		44	#VersionAddendum none
		45	Index: b/sshd_config.5
		46	===================================================================
		47	--- a/sshd_config.5
		48	+++ b/sshd_config.5
		49	@@ -781,7 +781,7 @@
		50	Additional connections will be dropped until authentication succeeds or the
		51	.Cm LoginGraceTime
		52	expires for a connection.
		53	-The default is 10.
		54	+The default is 10:30:100.
		55	.Pp
		56	Alternatively, random early drop can be enabled by specifying
		57	the three colon separated values


diff --git a/debian/patches/series b/debian/patches/series index cb6be9a28..efb2c5432 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -27,6 +27,7 @@ shell-path.patch
27	dnssec-sshfp.patch	27	dnssec-sshfp.patch
28	auth-log-verbosity.patch	28	auth-log-verbosity.patch
29	mention-ssh-keygen-on-keychange.patch	29	mention-ssh-keygen-on-keychange.patch
		30	max-startups-default.patch
30		31
31	# Versioning	32	# Versioning
32	package-versioning.patch	33	package-versioning.patch