From 09d3e1251250dcf45e5434cd474430e4ec5e8639 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Wed, 31 Oct 2012 08:58:58 +1100
Subject:    - djm@cvs.openbsd.org 2012/10/30 21:29:55      [auth-rsa.c auth.c
 auth.h auth2-pubkey.c servconf.c servconf.h]      [sshd.c sshd_config
 sshd_config.5]      new sshd_config option AuthorizedKeysCommand to support
 fetching      authorized_keys from a command in addition to (or instead of)
 from      the filesystem. The command is run as the target server user unless
      another specified via a new AuthorizedKeysCommandUser option.

     patch originally by jchadima AT redhat.com, reworked by me; feedback
     and ok markus@
---
 sshd_config | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'sshd_config')

diff --git a/sshd_config b/sshd_config
index 9424ee2c6..3d35bef02 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $
+#	$OpenBSD: sshd_config,v 1.88 2012/10/30 21:29:55 djm Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -51,6 +51,9 @@ AuthorizedKeysFile	.ssh/authorized_keys
 
 #AuthorizedPrincipalsFile none
 
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #RhostsRSAAuthentication no
 # similar for protocol version 2
-- 
cgit v1.2.3


From 1f583df8c3a7a3731a18b17e14c9ec09f31905ba Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Tue, 12 Feb 2013 11:02:08 +1100
Subject:    - dtucker@cvs.openbsd.org 2013/02/06 00:20:42      [servconf.c
 sshd_config sshd_config.5]      Change default of MaxStartups to 10:30:100 to
 start doing random early      drop at 10 connections up to 100 connections. 
 This will make it harder      to DoS as CPUs have come a long way since the
 original value was set      back in 2000.  Prompted by nion at debian org, ok
 markus@

---
 ChangeLog     | 6 ++++++
 servconf.c    | 8 ++++----
 sshd_config   | 4 ++--
 sshd_config.5 | 6 +++---
 4 files changed, 15 insertions(+), 9 deletions(-)

(limited to 'sshd_config')

diff --git a/ChangeLog b/ChangeLog
index b028fef82..2d5f1d96b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -22,6 +22,12 @@
    - djm@cvs.openbsd.org 2013/01/27 10:06:12
      [krl.c]
      actually use the xrealloc() return value; spotted by xi.wang AT gmail.com
+   - dtucker@cvs.openbsd.org 2013/02/06 00:20:42
+     [servconf.c sshd_config sshd_config.5]
+     Change default of MaxStartups to 10:30:100 to start doing random early
+     drop at 10 connections up to 100 connections.  This will make it harder
+     to DoS as CPUs have come a long way since the original value was set
+     back in 2000.  Prompted by nion at debian org, ok markus@
 
 20130211
  - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old
diff --git a/servconf.c b/servconf.c
index 21b371c84..b2a60fd6c 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.233 2012/12/02 20:46:11 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -256,11 +256,11 @@ fill_default_server_options(ServerOptions *options)
 	if (options->gateway_ports == -1)
 		options->gateway_ports = 0;
 	if (options->max_startups == -1)
-		options->max_startups = 10;
+		options->max_startups = 100;
 	if (options->max_startups_rate == -1)
-		options->max_startups_rate = 100;		/* 100% */
+		options->max_startups_rate = 30;		/* 30% */
 	if (options->max_startups_begin == -1)
-		options->max_startups_begin = options->max_startups;
+		options->max_startups_begin = 10;
 	if (options->max_authtries == -1)
 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
 	if (options->max_sessions == -1)
diff --git a/sshd_config b/sshd_config
index 3d35bef02..9cd2fddce 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.88 2012/10/30 21:29:55 djm Exp $
+#	$OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -109,7 +109,7 @@ UsePrivilegeSeparation sandbox		# Default for new installations.
 #ClientAliveCountMax 3
 #UseDNS yes
 #PidFile /var/run/sshd.pid
-#MaxStartups 10
+#MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
 #VersionAddendum none
diff --git a/sshd_config.5 b/sshd_config.5
index d2913c33f..cfa480697 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.155 2013/01/18 08:00:49 jmc Exp $
-.Dd $Mdocdate: January 18 2013 $
+.\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $
+.Dd $Mdocdate: February 6 2013 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -820,7 +820,7 @@ SSH daemon.
 Additional connections will be dropped until authentication succeeds or the
 .Cm LoginGraceTime
 expires for a connection.
-The default is 10.
+The default is 10:30:100.
 .Pp
 Alternatively, random early drop can be enabled by specifying
 the three colon separated values
-- 
cgit v1.2.3