|
1 # |
|
2 # This is to fix the CVE-2010-5107 security bug. The bug fix code came from |
|
3 # OpenSSH and is in version 6.2 of OpenSSH. When we upgrade OpenSSH to |
|
4 # version 6.2 or later, we will remove this patch file. |
|
5 # |
|
6 --- orig/servconf.c Wed Feb 27 16:03:18 2013 |
|
7 +++ new/servconf.c Wed Feb 27 16:10:09 2013 |
|
8 @@ -248,11 +248,11 @@ |
|
9 if (options->gateway_ports == -1) |
|
10 options->gateway_ports = 0; |
|
11 if (options->max_startups == -1) |
|
12 - options->max_startups = 10; |
|
13 + options->max_startups = 100; |
|
14 if (options->max_startups_rate == -1) |
|
15 - options->max_startups_rate = 100; /* 100% */ |
|
16 + options->max_startups_rate = 30; /* 30% */ |
|
17 if (options->max_startups_begin == -1) |
|
18 - options->max_startups_begin = options->max_startups; |
|
19 + options->max_startups_begin = 10; |
|
20 if (options->max_authtries == -1) |
|
21 options->max_authtries = DEFAULT_AUTH_FAIL_MAX; |
|
22 if (options->max_sessions == -1) |
|
23 --- orig/sshd_config Wed Feb 27 16:05:01 2013 |
|
24 +++ new/sshd_config Wed Feb 27 16:11:50 2013 |
|
25 @@ -104,7 +104,7 @@ |
|
26 #ClientAliveCountMax 3 |
|
27 #UseDNS yes |
|
28 #PidFile /var/run/sshd.pid |
|
29 -#MaxStartups 10 |
|
30 +#MaxStartups 10:30:100 |
|
31 #PermitTunnel no |
|
32 #ChrootDirectory none |
|
33 |
|
34 --- orig/sshd_config.5 Wed Feb 27 16:04:36 2013 |
|
35 +++ new/sshd_config.5 Wed Feb 27 16:15:03 2013 |
|
36 @@ -745,7 +745,7 @@ |
|
37 Additional connections will be dropped until authentication succeeds or the |
|
38 .Cm LoginGraceTime |
|
39 expires for a connection. |
|
40 -The default is 10. |
|
41 +The default is 10:30:100. |
|
42 .Pp |
|
43 Alternatively, random early drop can be enabled by specifying |
|
44 the three colon separated values |