diff -uprk.orig openssh-3.6.1p1.orig/myproposal.h openssh-3.6.1p1/myproposal.h --- openssh-3.6.1p1.orig/myproposal.h 2002-04-05 02:10:39 +0400 +++ openssh-3.6.1p1/myproposal.h 2003-04-11 19:52:23 +0400 @@ -26,7 +26,7 @@ #define KEX_DEFAULT_KEX "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1" #define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss" #define KEX_DEFAULT_ENCRYPT \ - "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \ + "blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour," \ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" #define KEX_DEFAULT_MAC \ "hmac-md5,hmac-sha1,hmac-ripemd160," \ diff -uprk.orig openssh-3.6.1p1.orig/readconf.c openssh-3.6.1p1/readconf.c --- openssh-3.6.1p1.orig/readconf.c 2003-04-11 19:52:08 +0400 +++ openssh-3.6.1p1/readconf.c 2003-04-11 19:52:23 +0400 @@ -75,11 +75,11 @@ RCSID("$OpenBSD: readconf.c,v 1.104 2003 Host * ForwardAgent no ForwardX11 no - RhostsAuthentication yes + RhostsAuthentication no PasswordAuthentication yes RSAAuthentication yes - RhostsRSAAuthentication yes - StrictHostKeyChecking yes + RhostsRSAAuthentication no + StrictHostKeyChecking ask KeepAlives no TransmitInterlude 0 IdentityFile ~/.ssh/identity diff -uprk.orig openssh-3.6.1p1.orig/servconf.c openssh-3.6.1p1/servconf.c --- openssh-3.6.1p1.orig/servconf.c 2003-04-11 19:52:08 +0400 +++ openssh-3.6.1p1/servconf.c 2003-04-11 22:58:32 +0400 @@ -168,17 +168,17 @@ fill_default_server_options(ServerOption if (options->key_regeneration_time == -1) options->key_regeneration_time = 3600; if (options->permit_root_login == PERMIT_NOT_SET) - options->permit_root_login = PERMIT_YES; + options->permit_root_login = PERMIT_NO; if (options->ignore_rhosts == -1) options->ignore_rhosts = 1; if (options->ignore_user_known_hosts == -1) - options->ignore_user_known_hosts = 0; + options->ignore_user_known_hosts = 1; if (options->print_motd == -1) options->print_motd = 1; if (options->print_lastlog == -1) options->print_lastlog = 1; if (options->x11_forwarding == -1) - options->x11_forwarding = 0; + options->x11_forwarding = 1; if (options->x11_display_offset == -1) options->x11_display_offset = 10; if (options->x11_use_localhost == -1) @@ -226,7 +226,7 @@ fill_default_server_options(ServerOption if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 0; if (options->challenge_response_authentication == -1) - options->challenge_response_authentication = 1; + options->challenge_response_authentication = 0; if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; if (options->permit_user_env == -1) @@ -240,11 +240,11 @@ fill_default_server_options(ServerOption if (options->gateway_ports == -1) options->gateway_ports = 0; if (options->max_startups == -1) - options->max_startups = 10; + options->max_startups = 20; if (options->max_startups_rate == -1) - options->max_startups_rate = 100; /* 100% */ + options->max_startups_rate = 30; /* 30% */ if (options->max_startups_begin == -1) - options->max_startups_begin = options->max_startups; + options->max_startups_begin = options->max_startups / 2; if (options->use_dns == -1) options->verify_reverse_mapping = 1; if (options->client_alive_interval == -1) diff -uprk.orig openssh-3.6.1p1.orig/ssh.1 openssh-3.6.1p1/ssh.1 --- openssh-3.6.1p1.orig/ssh.1 2003-04-01 15:42:14 +0400 +++ openssh-3.6.1p1/ssh.1 2003-04-11 19:52:23 +0400 @@ -419,7 +419,7 @@ Specify the interface to transmit from o interfaces or aliased addresses. .It Fl c Ar blowfish|3des|des Selects the cipher to use for encrypting the session. -.Ar 3des +.Ar blowfish is used by default. It is believed to be secure. .Ar 3des diff -uprk.orig openssh-3.6.1p1.orig/ssh_config openssh-3.6.1p1/ssh_config --- openssh-3.6.1p1.orig/ssh_config 2003-04-11 19:52:08 +0400 +++ openssh-3.6.1p1/ssh_config 2003-04-11 19:52:23 +0400 @@ -26,12 +26,13 @@ # BatchMode no # CheckHostIP yes # StrictHostKeyChecking ask +# KeepAlive yes # TransmitInterlude 0 # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1 -# Cipher 3des -# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc +# Cipher blowfish +# Ciphers blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # EscapeChar ~ diff -uprk.orig openssh-3.6.1p1.orig/ssh_config.5 openssh-3.6.1p1/ssh_config.5 --- openssh-3.6.1p1.orig/ssh_config.5 2003-04-11 19:52:08 +0400 +++ openssh-3.6.1p1/ssh_config.5 2003-04-11 19:52:23 +0400 @@ -179,7 +179,7 @@ that do not support the cipher. Its use is strongly discouraged due to cryptographic weaknesses. The default is -.Dq 3des . +.Dq blowfish . .It Cm Ciphers Specifies the ciphers allowed for protocol version 2 in order of preference. @@ -187,7 +187,7 @@ Multiple ciphers must be comma-separated The default is .Pp .Bd -literal - ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, + ``blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc'' .Ed .It Cm ClearAllForwardings diff -uprk.orig openssh-3.6.1p1.orig/sshconnect1.c openssh-3.6.1p1/sshconnect1.c --- openssh-3.6.1p1.orig/sshconnect1.c 2002-08-20 22:41:16 +0400 +++ openssh-3.6.1p1/sshconnect1.c 2003-04-11 19:52:23 +0400 @@ -957,7 +957,7 @@ ssh_kex(char *host, struct sockaddr *hos BIGNUM *key; Key *host_key, *server_key; int bits, rbits; - int ssh_cipher_default = SSH_CIPHER_3DES; + int ssh_cipher_default = SSH_CIPHER_BLOWFISH; u_char session_key[SSH_SESSION_KEY_LENGTH]; u_char cookie[8]; u_int supported_ciphers; diff -uprk.orig openssh-3.6.1p1.orig/sshd.c openssh-3.6.1p1/sshd.c --- openssh-3.6.1p1.orig/sshd.c 2003-04-11 19:52:08 +0400 +++ openssh-3.6.1p1/sshd.c 2003-04-11 19:52:23 +0400 @@ -786,6 +786,7 @@ usage(void) fprintf(stderr, " -d Debugging mode (multiple -d means more debugging)\n"); fprintf(stderr, " -i Started from inetd\n"); fprintf(stderr, " -D Do not fork into daemon mode\n"); + fprintf(stderr, " -e Send output to standard error\n"); fprintf(stderr, " -t Only test configuration file and keys\n"); fprintf(stderr, " -q Quiet (no logging)\n"); fprintf(stderr, " -p port Listen on the specified port (default: 22)\n"); diff -uprk.orig openssh-3.6.1p1.orig/sshd_config openssh-3.6.1p1/sshd_config --- openssh-3.6.1p1.orig/sshd_config 2002-09-27 07:21:58 +0400 +++ openssh-3.6.1p1/sshd_config 2003-04-11 23:12:49 +0400 @@ -33,11 +33,12 @@ # Authentication: #LoginGraceTime 120 -#PermitRootLogin yes +#PermitRootLogin no #StrictModes yes #RSAAuthentication yes #PubkeyAuthentication yes +#AuthorizedKeysSystemFile /etc/openssh/authorized_keys/%u #AuthorizedKeysFile .ssh/authorized_keys # rhosts authentication should not be used @@ -46,18 +47,18 @@ #IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no -# similar for protocol version 2 +# Similar to RhostsRSAAuthentication, for protocol version 2 #HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for +# Change to no if you trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no +#IgnoreUserKnownHosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes +# Change to yes to enable s/key passwords +#ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no @@ -73,7 +74,7 @@ # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt no -#X11Forwarding no +#X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes @@ -84,10 +85,10 @@ #PermitUserEnvironment no #Compression yes -#MaxStartups 10 -# no default banner path -#Banner /some/path +#MaxStartups 10:30:20 +# There's no default banner path +#Banner /etc/issue.net #UseDNS yes -# override default of no subsystems -Subsystem sftp /usr/libexec/sftp-server +# Uncomment this if you want to enable sftp +#Subsystem sftp /usr/lib/openssh/sftp-server diff -uprk.orig openssh-3.6.1p1.orig/sshd_config.5 openssh-3.6.1p1/sshd_config.5 --- openssh-3.6.1p1.orig/sshd_config.5 2003-04-11 19:52:08 +0400 +++ openssh-3.6.1p1/sshd_config.5 2003-04-11 23:18:00 +0400 @@ -154,7 +154,7 @@ Multiple ciphers must be comma-separated The default is .Pp .Bd -literal - ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, + ``blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc'' .Ed .It Cm ClientAliveInterval @@ -297,7 +297,7 @@ during or .Cm HostbasedAuthentication . The default is -.Dq no . +.Dq yes . .It Cm KeepAlive Specifies whether the system should send TCP keepalive messages to the other side. @@ -464,7 +464,7 @@ The argument must be or .Dq no . The default is -.Dq yes . +.Dq no . .Pp If this option is set to .Dq without-password @@ -655,7 +655,7 @@ The argument must be or .Dq no . The default is -.Dq no . +.Dq yes . .Pp When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the diff -uprk.orig openssh-3.6.1p1.orig/ssh-keygen.1 openssh-3.6.1p1/ssh-keygen.1 --- openssh-3.6.1p1.orig/ssh-keygen.1 2003-04-01 15:42:14 +0400 +++ openssh-3.6.1p1/ssh-keygen.1 2003-04-11 22:11:18 +0400 @@ -149,8 +149,8 @@ The options are as follows: .It Fl b Ar bits Specifies the number of bits in the key to create. Minimum is 512 bits. -Generally, 1024 bits is considered sufficient. -The default is 1024 bits. +Generally, 2048 bits is considered sufficient. +The default is 2048 bits. .It Fl c Requests changing the comment in the private and public key files. This operation is only supported for RSA1 keys. diff -uprk.orig openssh-3.6.1p1.orig/ssh-keygen.c openssh-3.6.1p1/ssh-keygen.c --- openssh-3.6.1p1.orig/ssh-keygen.c 2002-12-23 05:11:03 +0300 +++ openssh-3.6.1p1/ssh-keygen.c 2003-04-11 19:53:55 +0400 @@ -33,7 +33,7 @@ RCSID("$OpenBSD: ssh-keygen.c,v 1.102 20 #endif /* Number of bits in the RSA/DSA key. This value can be changed on the command line. */ -int bits = 1024; +int bits = 2048; /* * Flag indicating that we just want to change the passphrase. This can be