diff options
-rw-r--r-- | debian/changelog | 2 | ||||
-rw-r--r-- | debian/patches/max-startups-default.patch | 57 | ||||
-rw-r--r-- | debian/patches/series | 1 | ||||
-rw-r--r-- | servconf.c | 6 | ||||
-rw-r--r-- | sshd_config | 2 | ||||
-rw-r--r-- | sshd_config.5 | 2 |
6 files changed, 65 insertions, 5 deletions
diff --git a/debian/changelog b/debian/changelog index 0941e5d15..7128dfccf 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -3,6 +3,8 @@ openssh (1:6.1p1-3) UNRELEASED; urgency=low | |||
3 | * Give ssh and ssh-krb5 versioned dependencies on openssh-client and | 3 | * Give ssh and ssh-krb5 versioned dependencies on openssh-client and |
4 | openssh-server, to try to reduce confusion when people run 'apt-get | 4 | openssh-server, to try to reduce confusion when people run 'apt-get |
5 | install ssh' or similar and expect that to upgrade everything relevant. | 5 | install ssh' or similar and expect that to upgrade everything relevant. |
6 | * CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups | ||
7 | to 10:30:100 (closes: #700102). | ||
6 | 8 | ||
7 | -- Colin Watson <cjwatson@debian.org> Wed, 19 Dec 2012 10:50:33 +0000 | 9 | -- Colin Watson <cjwatson@debian.org> Wed, 19 Dec 2012 10:50:33 +0000 |
8 | 10 | ||
diff --git a/debian/patches/max-startups-default.patch b/debian/patches/max-startups-default.patch new file mode 100644 index 000000000..87e690bd1 --- /dev/null +++ b/debian/patches/max-startups-default.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | Description: Change default of MaxStartups to 10:30:100 | ||
2 | This causes sshd to start doing random early drop at 10 connections up to | ||
3 | 100 connections. This will make it harder to DoS as CPUs have come a long | ||
4 | way since the original value was set back in 2000. | ||
5 | Author: Darren Tucker | ||
6 | Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234 | ||
7 | Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156 | ||
8 | Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89 | ||
9 | Bug-Debian: http://bugs.debian.org/700102 | ||
10 | Forwarded: not-needed | ||
11 | Last-Update: 2013-02-08 | ||
12 | |||
13 | Index: b/servconf.c | ||
14 | =================================================================== | ||
15 | --- a/servconf.c | ||
16 | +++ b/servconf.c | ||
17 | @@ -264,11 +264,11 @@ | ||
18 | if (options->gateway_ports == -1) | ||
19 | options->gateway_ports = 0; | ||
20 | if (options->max_startups == -1) | ||
21 | - options->max_startups = 10; | ||
22 | + options->max_startups = 100; | ||
23 | if (options->max_startups_rate == -1) | ||
24 | - options->max_startups_rate = 100; /* 100% */ | ||
25 | + options->max_startups_rate = 30; /* 30% */ | ||
26 | if (options->max_startups_begin == -1) | ||
27 | - options->max_startups_begin = options->max_startups; | ||
28 | + options->max_startups_begin = 10; | ||
29 | if (options->max_authtries == -1) | ||
30 | options->max_authtries = DEFAULT_AUTH_FAIL_MAX; | ||
31 | if (options->max_sessions == -1) | ||
32 | Index: b/sshd_config | ||
33 | =================================================================== | ||
34 | --- a/sshd_config | ||
35 | +++ b/sshd_config | ||
36 | @@ -108,7 +108,7 @@ | ||
37 | #ClientAliveCountMax 3 | ||
38 | #UseDNS yes | ||
39 | #PidFile /var/run/sshd.pid | ||
40 | -#MaxStartups 10 | ||
41 | +#MaxStartups 10:30:100 | ||
42 | #PermitTunnel no | ||
43 | #ChrootDirectory none | ||
44 | #VersionAddendum none | ||
45 | Index: b/sshd_config.5 | ||
46 | =================================================================== | ||
47 | --- a/sshd_config.5 | ||
48 | +++ b/sshd_config.5 | ||
49 | @@ -781,7 +781,7 @@ | ||
50 | Additional connections will be dropped until authentication succeeds or the | ||
51 | .Cm LoginGraceTime | ||
52 | expires for a connection. | ||
53 | -The default is 10. | ||
54 | +The default is 10:30:100. | ||
55 | .Pp | ||
56 | Alternatively, random early drop can be enabled by specifying | ||
57 | the three colon separated values | ||
diff --git a/debian/patches/series b/debian/patches/series index cb6be9a28..efb2c5432 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -27,6 +27,7 @@ shell-path.patch | |||
27 | dnssec-sshfp.patch | 27 | dnssec-sshfp.patch |
28 | auth-log-verbosity.patch | 28 | auth-log-verbosity.patch |
29 | mention-ssh-keygen-on-keychange.patch | 29 | mention-ssh-keygen-on-keychange.patch |
30 | max-startups-default.patch | ||
30 | 31 | ||
31 | # Versioning | 32 | # Versioning |
32 | package-versioning.patch | 33 | package-versioning.patch |
diff --git a/servconf.c b/servconf.c index 5b8c686c2..9a8822938 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -265,11 +265,11 @@ fill_default_server_options(ServerOptions *options) | |||
265 | if (options->gateway_ports == -1) | 265 | if (options->gateway_ports == -1) |
266 | options->gateway_ports = 0; | 266 | options->gateway_ports = 0; |
267 | if (options->max_startups == -1) | 267 | if (options->max_startups == -1) |
268 | options->max_startups = 10; | 268 | options->max_startups = 100; |
269 | if (options->max_startups_rate == -1) | 269 | if (options->max_startups_rate == -1) |
270 | options->max_startups_rate = 100; /* 100% */ | 270 | options->max_startups_rate = 30; /* 30% */ |
271 | if (options->max_startups_begin == -1) | 271 | if (options->max_startups_begin == -1) |
272 | options->max_startups_begin = options->max_startups; | 272 | options->max_startups_begin = 10; |
273 | if (options->max_authtries == -1) | 273 | if (options->max_authtries == -1) |
274 | options->max_authtries = DEFAULT_AUTH_FAIL_MAX; | 274 | options->max_authtries = DEFAULT_AUTH_FAIL_MAX; |
275 | if (options->max_sessions == -1) | 275 | if (options->max_sessions == -1) |
diff --git a/sshd_config b/sshd_config index 2523015de..3ea8e2efc 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -109,7 +109,7 @@ UsePrivilegeSeparation sandbox # Default for new installations. | |||
109 | #ClientAliveCountMax 3 | 109 | #ClientAliveCountMax 3 |
110 | #UseDNS yes | 110 | #UseDNS yes |
111 | #PidFile /var/run/sshd.pid | 111 | #PidFile /var/run/sshd.pid |
112 | #MaxStartups 10 | 112 | #MaxStartups 10:30:100 |
113 | #PermitTunnel no | 113 | #PermitTunnel no |
114 | #ChrootDirectory none | 114 | #ChrootDirectory none |
115 | #VersionAddendum none | 115 | #VersionAddendum none |
diff --git a/sshd_config.5 b/sshd_config.5 index 22e7edc94..de2b776fd 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -812,7 +812,7 @@ SSH daemon. | |||
812 | Additional connections will be dropped until authentication succeeds or the | 812 | Additional connections will be dropped until authentication succeeds or the |
813 | .Cm LoginGraceTime | 813 | .Cm LoginGraceTime |
814 | expires for a connection. | 814 | expires for a connection. |
815 | The default is 10. | 815 | The default is 10:30:100. |
816 | .Pp | 816 | .Pp |
817 | Alternatively, random early drop can be enabled by specifying | 817 | Alternatively, random early drop can be enabled by specifying |
818 | the three colon separated values | 818 | the three colon separated values |