From 57beeaa6b23799ef7986a16bfc81b2de84a00aa8 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Fri, 8 Feb 2013 21:07:09 +0000
Subject: CVE-2010-5107: Improve DoS resistance by changing default of
 MaxStartups to 10:30:100 (closes: #700102).

---
 debian/changelog                          |  2 ++
 debian/patches/max-startups-default.patch | 57 +++++++++++++++++++++++++++++++
 debian/patches/series                     |  1 +
 servconf.c                                |  6 ++--
 sshd_config                               |  2 +-
 sshd_config.5                             |  2 +-
 6 files changed, 65 insertions(+), 5 deletions(-)
 create mode 100644 debian/patches/max-startups-default.patch

diff --git a/debian/changelog b/debian/changelog
index 0941e5d15..7128dfccf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ openssh (1:6.1p1-3) UNRELEASED; urgency=low
   * Give ssh and ssh-krb5 versioned dependencies on openssh-client and
     openssh-server, to try to reduce confusion when people run 'apt-get
     install ssh' or similar and expect that to upgrade everything relevant.
+  * CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups
+    to 10:30:100 (closes: #700102).
 
  -- Colin Watson <cjwatson@debian.org>  Wed, 19 Dec 2012 10:50:33 +0000
 
diff --git a/debian/patches/max-startups-default.patch b/debian/patches/max-startups-default.patch
new file mode 100644
index 000000000..87e690bd1
--- /dev/null
+++ b/debian/patches/max-startups-default.patch
@@ -0,0 +1,57 @@
+Description: Change default of MaxStartups to 10:30:100
+ This causes sshd to start doing random early drop at 10 connections up to
+ 100 connections.  This will make it harder to DoS as CPUs have come a long
+ way since the original value was set back in 2000.
+Author: Darren Tucker
+Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234
+Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
+Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
+Bug-Debian: http://bugs.debian.org/700102
+Forwarded: not-needed
+Last-Update: 2013-02-08
+
+Index: b/servconf.c
+===================================================================
+--- a/servconf.c
++++ b/servconf.c
+@@ -264,11 +264,11 @@
+ 	if (options->gateway_ports == -1)
+ 		options->gateway_ports = 0;
+ 	if (options->max_startups == -1)
+-		options->max_startups = 10;
++		options->max_startups = 100;
+ 	if (options->max_startups_rate == -1)
+-		options->max_startups_rate = 100;		/* 100% */
++		options->max_startups_rate = 30;		/* 30% */
+ 	if (options->max_startups_begin == -1)
+-		options->max_startups_begin = options->max_startups;
++		options->max_startups_begin = 10;
+ 	if (options->max_authtries == -1)
+ 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
+ 	if (options->max_sessions == -1)
+Index: b/sshd_config
+===================================================================
+--- a/sshd_config
++++ b/sshd_config
+@@ -108,7 +108,7 @@
+ #ClientAliveCountMax 3
+ #UseDNS yes
+ #PidFile /var/run/sshd.pid
+-#MaxStartups 10
++#MaxStartups 10:30:100
+ #PermitTunnel no
+ #ChrootDirectory none
+ #VersionAddendum none
+Index: b/sshd_config.5
+===================================================================
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -781,7 +781,7 @@
+ Additional connections will be dropped until authentication succeeds or the
+ .Cm LoginGraceTime
+ expires for a connection.
+-The default is 10.
++The default is 10:30:100.
+ .Pp
+ Alternatively, random early drop can be enabled by specifying
+ the three colon separated values
diff --git a/debian/patches/series b/debian/patches/series
index cb6be9a28..efb2c5432 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,6 +27,7 @@ shell-path.patch
 dnssec-sshfp.patch
 auth-log-verbosity.patch
 mention-ssh-keygen-on-keychange.patch
+max-startups-default.patch
 
 # Versioning
 package-versioning.patch
diff --git a/servconf.c b/servconf.c
index 5b8c686c2..9a8822938 100644
--- a/servconf.c
+++ b/servconf.c
@@ -265,11 +265,11 @@ fill_default_server_options(ServerOptions *options)
 	if (options->gateway_ports == -1)
 		options->gateway_ports = 0;
 	if (options->max_startups == -1)
-		options->max_startups = 10;
+		options->max_startups = 100;
 	if (options->max_startups_rate == -1)
-		options->max_startups_rate = 100;		/* 100% */
+		options->max_startups_rate = 30;		/* 30% */
 	if (options->max_startups_begin == -1)
-		options->max_startups_begin = options->max_startups;
+		options->max_startups_begin = 10;
 	if (options->max_authtries == -1)
 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
 	if (options->max_sessions == -1)
diff --git a/sshd_config b/sshd_config
index 2523015de..3ea8e2efc 100644
--- a/sshd_config
+++ b/sshd_config
@@ -109,7 +109,7 @@ UsePrivilegeSeparation sandbox		# Default for new installations.
 #ClientAliveCountMax 3
 #UseDNS yes
 #PidFile /var/run/sshd.pid
-#MaxStartups 10
+#MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
 #VersionAddendum none
diff --git a/sshd_config.5 b/sshd_config.5
index 22e7edc94..de2b776fd 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -812,7 +812,7 @@ SSH daemon.
 Additional connections will be dropped until authentication succeeds or the
 .Cm LoginGraceTime
 expires for a connection.
-The default is 10.
+The default is 10:30:100.
 .Pp
 Alternatively, random early drop can be enabled by specifying
 the three colon separated values
-- 
cgit v1.2.3