author | Rich Burridge <rich.burridge@oracle.com> |
Thu, 27 Mar 2014 12:02:39 -0700 | |
changeset 1795 | a93a51a16131 |
parent 1612 | 3f2ec017627f |
permissions | -rw-r--r-- |
1612
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
1 |
# |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
2 |
# This is to fix the CVE-2010-5107 security bug. The bug fix code came from |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
3 |
# OpenSSH and is in version 6.2 of OpenSSH. When we upgrade OpenSSH to |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
4 |
# version 6.2 or later, we will remove this patch file. |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
5 |
# |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
6 |
--- orig/servconf.c Wed Feb 27 16:03:18 2013 |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
7 |
+++ new/servconf.c Wed Feb 27 16:10:09 2013 |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
8 |
@@ -248,11 +248,11 @@ |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
9 |
if (options->gateway_ports == -1) |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
10 |
options->gateway_ports = 0; |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
11 |
if (options->max_startups == -1) |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
12 |
- options->max_startups = 10; |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
13 |
+ options->max_startups = 100; |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
14 |
if (options->max_startups_rate == -1) |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
15 |
- options->max_startups_rate = 100; /* 100% */ |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
16 |
+ options->max_startups_rate = 30; /* 30% */ |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
17 |
if (options->max_startups_begin == -1) |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
18 |
- options->max_startups_begin = options->max_startups; |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
19 |
+ options->max_startups_begin = 10; |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
20 |
if (options->max_authtries == -1) |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
21 |
options->max_authtries = DEFAULT_AUTH_FAIL_MAX; |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
22 |
if (options->max_sessions == -1) |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
23 |
--- orig/sshd_config Wed Feb 27 16:05:01 2013 |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
24 |
+++ new/sshd_config Wed Feb 27 16:11:50 2013 |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
25 |
@@ -104,7 +104,7 @@ |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
26 |
#ClientAliveCountMax 3 |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
27 |
#UseDNS yes |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
28 |
#PidFile /var/run/sshd.pid |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
29 |
-#MaxStartups 10 |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
30 |
+#MaxStartups 10:30:100 |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
31 |
#PermitTunnel no |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
32 |
#ChrootDirectory none |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
33 |
|
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
34 |
--- orig/sshd_config.5 Wed Feb 27 16:04:36 2013 |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
35 |
+++ new/sshd_config.5 Wed Feb 27 16:15:03 2013 |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
36 |
@@ -745,7 +745,7 @@ |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
37 |
Additional connections will be dropped until authentication succeeds or the |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
38 |
.Cm LoginGraceTime |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
39 |
expires for a connection. |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
40 |
-The default is 10. |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
41 |
+The default is 10:30:100. |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
42 |
.Pp |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
43 |
Alternatively, random early drop can be enabled by specifying |
3f2ec017627f
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
44 |
the three colon separated values |