summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/changelog2
-rw-r--r--debian/patches/max-startups-default.patch57
-rw-r--r--debian/patches/series1
-rw-r--r--servconf.c6
-rw-r--r--sshd_config2
-rw-r--r--sshd_config.52
6 files changed, 65 insertions, 5 deletions
diff --git a/debian/changelog b/debian/changelog
index 0941e5d15..7128dfccf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ openssh (1:6.1p1-3) UNRELEASED; urgency=low
3 * Give ssh and ssh-krb5 versioned dependencies on openssh-client and 3 * Give ssh and ssh-krb5 versioned dependencies on openssh-client and
4 openssh-server, to try to reduce confusion when people run 'apt-get 4 openssh-server, to try to reduce confusion when people run 'apt-get
5 install ssh' or similar and expect that to upgrade everything relevant. 5 install ssh' or similar and expect that to upgrade everything relevant.
6 * CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups
7 to 10:30:100 (closes: #700102).
6 8
7 -- Colin Watson <cjwatson@debian.org> Wed, 19 Dec 2012 10:50:33 +0000 9 -- Colin Watson <cjwatson@debian.org> Wed, 19 Dec 2012 10:50:33 +0000
8 10
diff --git a/debian/patches/max-startups-default.patch b/debian/patches/max-startups-default.patch
new file mode 100644
index 000000000..87e690bd1
--- /dev/null
+++ b/debian/patches/max-startups-default.patch
@@ -0,0 +1,57 @@
1Description: Change default of MaxStartups to 10:30:100
2 This causes sshd to start doing random early drop at 10 connections up to
3 100 connections. This will make it harder to DoS as CPUs have come a long
4 way since the original value was set back in 2000.
5Author: Darren Tucker
6Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234
7Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
8Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
9Bug-Debian: http://bugs.debian.org/700102
10Forwarded: not-needed
11Last-Update: 2013-02-08
12
13Index: b/servconf.c
14===================================================================
15--- a/servconf.c
16+++ b/servconf.c
17@@ -264,11 +264,11 @@
18 if (options->gateway_ports == -1)
19 options->gateway_ports = 0;
20 if (options->max_startups == -1)
21- options->max_startups = 10;
22+ options->max_startups = 100;
23 if (options->max_startups_rate == -1)
24- options->max_startups_rate = 100; /* 100% */
25+ options->max_startups_rate = 30; /* 30% */
26 if (options->max_startups_begin == -1)
27- options->max_startups_begin = options->max_startups;
28+ options->max_startups_begin = 10;
29 if (options->max_authtries == -1)
30 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
31 if (options->max_sessions == -1)
32Index: b/sshd_config
33===================================================================
34--- a/sshd_config
35+++ b/sshd_config
36@@ -108,7 +108,7 @@
37 #ClientAliveCountMax 3
38 #UseDNS yes
39 #PidFile /var/run/sshd.pid
40-#MaxStartups 10
41+#MaxStartups 10:30:100
42 #PermitTunnel no
43 #ChrootDirectory none
44 #VersionAddendum none
45Index: b/sshd_config.5
46===================================================================
47--- a/sshd_config.5
48+++ b/sshd_config.5
49@@ -781,7 +781,7 @@
50 Additional connections will be dropped until authentication succeeds or the
51 .Cm LoginGraceTime
52 expires for a connection.
53-The default is 10.
54+The default is 10:30:100.
55 .Pp
56 Alternatively, random early drop can be enabled by specifying
57 the three colon separated values
diff --git a/debian/patches/series b/debian/patches/series
index cb6be9a28..efb2c5432 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,6 +27,7 @@ shell-path.patch
27dnssec-sshfp.patch 27dnssec-sshfp.patch
28auth-log-verbosity.patch 28auth-log-verbosity.patch
29mention-ssh-keygen-on-keychange.patch 29mention-ssh-keygen-on-keychange.patch
30max-startups-default.patch
30 31
31# Versioning 32# Versioning
32package-versioning.patch 33package-versioning.patch
diff --git a/servconf.c b/servconf.c
index 5b8c686c2..9a8822938 100644
--- a/servconf.c
+++ b/servconf.c
@@ -265,11 +265,11 @@ fill_default_server_options(ServerOptions *options)
265 if (options->gateway_ports == -1) 265 if (options->gateway_ports == -1)
266 options->gateway_ports = 0; 266 options->gateway_ports = 0;
267 if (options->max_startups == -1) 267 if (options->max_startups == -1)
268 options->max_startups = 10; 268 options->max_startups = 100;
269 if (options->max_startups_rate == -1) 269 if (options->max_startups_rate == -1)
270 options->max_startups_rate = 100; /* 100% */ 270 options->max_startups_rate = 30; /* 30% */
271 if (options->max_startups_begin == -1) 271 if (options->max_startups_begin == -1)
272 options->max_startups_begin = options->max_startups; 272 options->max_startups_begin = 10;
273 if (options->max_authtries == -1) 273 if (options->max_authtries == -1)
274 options->max_authtries = DEFAULT_AUTH_FAIL_MAX; 274 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
275 if (options->max_sessions == -1) 275 if (options->max_sessions == -1)
diff --git a/sshd_config b/sshd_config
index 2523015de..3ea8e2efc 100644
--- a/sshd_config
+++ b/sshd_config
@@ -109,7 +109,7 @@ UsePrivilegeSeparation sandbox # Default for new installations.
109#ClientAliveCountMax 3 109#ClientAliveCountMax 3
110#UseDNS yes 110#UseDNS yes
111#PidFile /var/run/sshd.pid 111#PidFile /var/run/sshd.pid
112#MaxStartups 10 112#MaxStartups 10:30:100
113#PermitTunnel no 113#PermitTunnel no
114#ChrootDirectory none 114#ChrootDirectory none
115#VersionAddendum none 115#VersionAddendum none
diff --git a/sshd_config.5 b/sshd_config.5
index 22e7edc94..de2b776fd 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -812,7 +812,7 @@ SSH daemon.
812Additional connections will be dropped until authentication succeeds or the 812Additional connections will be dropped until authentication succeeds or the
813.Cm LoginGraceTime 813.Cm LoginGraceTime
814expires for a connection. 814expires for a connection.
815The default is 10. 815The default is 10:30:100.
816.Pp 816.Pp
817Alternatively, random early drop can be enabled by specifying 817Alternatively, random early drop can be enabled by specifying
818the three colon separated values 818the three colon separated values