summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/changelog2
-rw-r--r--debian/patches/max-startups-default.patch57
-rw-r--r--debian/patches/series1
3 files changed, 60 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 0941e5d15..7128dfccf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ openssh (1:6.1p1-3) UNRELEASED; urgency=low
3 * Give ssh and ssh-krb5 versioned dependencies on openssh-client and 3 * Give ssh and ssh-krb5 versioned dependencies on openssh-client and
4 openssh-server, to try to reduce confusion when people run 'apt-get 4 openssh-server, to try to reduce confusion when people run 'apt-get
5 install ssh' or similar and expect that to upgrade everything relevant. 5 install ssh' or similar and expect that to upgrade everything relevant.
6 * CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups
7 to 10:30:100 (closes: #700102).
6 8
7 -- Colin Watson <cjwatson@debian.org> Wed, 19 Dec 2012 10:50:33 +0000 9 -- Colin Watson <cjwatson@debian.org> Wed, 19 Dec 2012 10:50:33 +0000
8 10
diff --git a/debian/patches/max-startups-default.patch b/debian/patches/max-startups-default.patch
new file mode 100644
index 000000000..87e690bd1
--- /dev/null
+++ b/debian/patches/max-startups-default.patch
@@ -0,0 +1,57 @@
1Description: Change default of MaxStartups to 10:30:100
2 This causes sshd to start doing random early drop at 10 connections up to
3 100 connections. This will make it harder to DoS as CPUs have come a long
4 way since the original value was set back in 2000.
5Author: Darren Tucker
6Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234
7Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
8Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
9Bug-Debian: http://bugs.debian.org/700102
10Forwarded: not-needed
11Last-Update: 2013-02-08
12
13Index: b/servconf.c
14===================================================================
15--- a/servconf.c
16+++ b/servconf.c
17@@ -264,11 +264,11 @@
18 if (options->gateway_ports == -1)
19 options->gateway_ports = 0;
20 if (options->max_startups == -1)
21- options->max_startups = 10;
22+ options->max_startups = 100;
23 if (options->max_startups_rate == -1)
24- options->max_startups_rate = 100; /* 100% */
25+ options->max_startups_rate = 30; /* 30% */
26 if (options->max_startups_begin == -1)
27- options->max_startups_begin = options->max_startups;
28+ options->max_startups_begin = 10;
29 if (options->max_authtries == -1)
30 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
31 if (options->max_sessions == -1)
32Index: b/sshd_config
33===================================================================
34--- a/sshd_config
35+++ b/sshd_config
36@@ -108,7 +108,7 @@
37 #ClientAliveCountMax 3
38 #UseDNS yes
39 #PidFile /var/run/sshd.pid
40-#MaxStartups 10
41+#MaxStartups 10:30:100
42 #PermitTunnel no
43 #ChrootDirectory none
44 #VersionAddendum none
45Index: b/sshd_config.5
46===================================================================
47--- a/sshd_config.5
48+++ b/sshd_config.5
49@@ -781,7 +781,7 @@
50 Additional connections will be dropped until authentication succeeds or the
51 .Cm LoginGraceTime
52 expires for a connection.
53-The default is 10.
54+The default is 10:30:100.
55 .Pp
56 Alternatively, random early drop can be enabled by specifying
57 the three colon separated values
diff --git a/debian/patches/series b/debian/patches/series
index cb6be9a28..efb2c5432 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,6 +27,7 @@ shell-path.patch
27dnssec-sshfp.patch 27dnssec-sshfp.patch
28auth-log-verbosity.patch 28auth-log-verbosity.patch
29mention-ssh-keygen-on-keychange.patch 29mention-ssh-keygen-on-keychange.patch
30max-startups-default.patch
30 31
31# Versioning 32# Versioning
32package-versioning.patch 33package-versioning.patch