1 #

     2 # This is to fix the CVE-2010-5107 security bug.  The bug fix code came from

     3 # OpenSSH and is in version 6.2 of OpenSSH.  When we upgrade OpenSSH to

     4 # version 6.2 or later, we will remove this patch file.

     5 #

     6 --- orig/servconf.c	Wed Feb 27 16:03:18 2013

     7 +++ new/servconf.c	Wed Feb 27 16:10:09 2013

     8 @@ -248,11 +248,11 @@

     9  	if (options->gateway_ports == -1)

    10  		options->gateway_ports = 0;

    11  	if (options->max_startups == -1)

    12 -		options->max_startups = 10;

    13 +		options->max_startups = 100;

    14  	if (options->max_startups_rate == -1)

    15 -		options->max_startups_rate = 100;		/* 100% */

    16 +		options->max_startups_rate = 30;		/* 30% */

    17  	if (options->max_startups_begin == -1)

    18 -		options->max_startups_begin = options->max_startups;

    19 +		options->max_startups_begin = 10;

    20  	if (options->max_authtries == -1)

    21  		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;

    22  	if (options->max_sessions == -1)

    23 --- orig/sshd_config	Wed Feb 27 16:05:01 2013

    24 +++ new/sshd_config	Wed Feb 27 16:11:50 2013

    25 @@ -104,7 +104,7 @@

    26  #ClientAliveCountMax 3

    27  #UseDNS yes

    28  #PidFile /var/run/sshd.pid

    29 -#MaxStartups 10

    30 +#MaxStartups 10:30:100

    31  #PermitTunnel no

    32  #ChrootDirectory none

    33  

    34 --- orig/sshd_config.5	Wed Feb 27 16:04:36 2013

    35 +++ new/sshd_config.5	Wed Feb 27 16:15:03 2013

    36 @@ -745,7 +745,7 @@

    37  Additional connections will be dropped until authentication succeeds or the

    38  .Cm LoginGraceTime

    39  expires for a connection.

    40 -The default is 10.

    41 +The default is 10:30:100.

    42  .Pp

    43  Alternatively, random early drop can be enabled by specifying

    44  the three colon separated values