Репозитории ALT
S: | 9.4p1-alt1 |
5.1: | 5.3p1-alt1 |
4.1: | 5.0p1-alt3 |
4.0: | 5.0p1-alt3 |
+updates: | 4.7p1-alt1 |
3.0: | 3.6.1p2-alt6 |
Группа :: Сети/Удалённый доступ
Пакет: openssh
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
Патч: openssh-3.6.1p1-alt-defaults.patch
Скачать
Скачать
diff -uprk.orig openssh-3.6.1p1.orig/myproposal.h openssh-3.6.1p1/myproposal.h
--- openssh-3.6.1p1.orig/myproposal.h 2002-04-05 02:10:39 +0400
+++ openssh-3.6.1p1/myproposal.h 2003-04-11 19:52:23 +0400
@@ -26,7 +26,7 @@
#define KEX_DEFAULT_KEX "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"
#define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss"
#define KEX_DEFAULT_ENCRYPT \
- "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \
+ "blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour," \
"aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se"
#define KEX_DEFAULT_MAC \
"hmac-md5,hmac-sha1,hmac-ripemd160," \
diff -uprk.orig openssh-3.6.1p1.orig/readconf.c openssh-3.6.1p1/readconf.c
--- openssh-3.6.1p1.orig/readconf.c 2003-04-11 19:52:08 +0400
+++ openssh-3.6.1p1/readconf.c 2003-04-11 19:52:23 +0400
@@ -75,11 +75,11 @@ RCSID("$OpenBSD: readconf.c,v 1.104 2003
Host *
ForwardAgent no
ForwardX11 no
- RhostsAuthentication yes
+ RhostsAuthentication no
PasswordAuthentication yes
RSAAuthentication yes
- RhostsRSAAuthentication yes
- StrictHostKeyChecking yes
+ RhostsRSAAuthentication no
+ StrictHostKeyChecking ask
KeepAlives no
TransmitInterlude 0
IdentityFile ~/.ssh/identity
diff -uprk.orig openssh-3.6.1p1.orig/servconf.c openssh-3.6.1p1/servconf.c
--- openssh-3.6.1p1.orig/servconf.c 2003-04-11 19:52:08 +0400
+++ openssh-3.6.1p1/servconf.c 2003-04-11 22:58:32 +0400
@@ -168,17 +168,17 @@ fill_default_server_options(ServerOption
if (options->key_regeneration_time == -1)
options->key_regeneration_time = 3600;
if (options->permit_root_login == PERMIT_NOT_SET)
- options->permit_root_login = PERMIT_YES;
+ options->permit_root_login = PERMIT_NO;
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
- options->ignore_user_known_hosts = 0;
+ options->ignore_user_known_hosts = 1;
if (options->print_motd == -1)
options->print_motd = 1;
if (options->print_lastlog == -1)
options->print_lastlog = 1;
if (options->x11_forwarding == -1)
- options->x11_forwarding = 0;
+ options->x11_forwarding = 1;
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
if (options->x11_use_localhost == -1)
@@ -226,7 +226,7 @@ fill_default_server_options(ServerOption
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)
- options->challenge_response_authentication = 1;
+ options->challenge_response_authentication = 0;
if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 0;
if (options->permit_user_env == -1)
@@ -240,11 +240,11 @@ fill_default_server_options(ServerOption
if (options->gateway_ports == -1)
options->gateway_ports = 0;
if (options->max_startups == -1)
- options->max_startups = 10;
+ options->max_startups = 20;
if (options->max_startups_rate == -1)
- options->max_startups_rate = 100; /* 100% */
+ options->max_startups_rate = 30; /* 30% */
if (options->max_startups_begin == -1)
- options->max_startups_begin = options->max_startups;
+ options->max_startups_begin = options->max_startups / 2;
if (options->use_dns == -1)
options->verify_reverse_mapping = 1;
if (options->client_alive_interval == -1)
diff -uprk.orig openssh-3.6.1p1.orig/ssh.1 openssh-3.6.1p1/ssh.1
--- openssh-3.6.1p1.orig/ssh.1 2003-04-01 15:42:14 +0400
+++ openssh-3.6.1p1/ssh.1 2003-04-11 19:52:23 +0400
@@ -419,7 +419,7 @@ Specify the interface to transmit from o
interfaces or aliased addresses.
.It Fl c Ar blowfish|3des|des
Selects the cipher to use for encrypting the session.
-.Ar 3des
+.Ar blowfish
is used by default.
It is believed to be secure.
.Ar 3des
diff -uprk.orig openssh-3.6.1p1.orig/ssh_config openssh-3.6.1p1/ssh_config
--- openssh-3.6.1p1.orig/ssh_config 2003-04-11 19:52:08 +0400
+++ openssh-3.6.1p1/ssh_config 2003-04-11 19:52:23 +0400
@@ -26,12 +26,13 @@
# BatchMode no
# CheckHostIP yes
# StrictHostKeyChecking ask
+# KeepAlive yes
# TransmitInterlude 0
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
-# Cipher 3des
-# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
+# Cipher blowfish
+# Ciphers blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
diff -uprk.orig openssh-3.6.1p1.orig/ssh_config.5 openssh-3.6.1p1/ssh_config.5
--- openssh-3.6.1p1.orig/ssh_config.5 2003-04-11 19:52:08 +0400
+++ openssh-3.6.1p1/ssh_config.5 2003-04-11 19:52:23 +0400
@@ -179,7 +179,7 @@ that do not support the
cipher.
Its use is strongly discouraged due to cryptographic weaknesses.
The default is
-.Dq 3des .
+.Dq blowfish .
.It Cm Ciphers
Specifies the ciphers allowed for protocol version 2
in order of preference.
@@ -187,7 +187,7 @@ Multiple ciphers must be comma-separated
The default is
.Pp
.Bd -literal
- ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
+ ``blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc''
.Ed
.It Cm ClearAllForwardings
diff -uprk.orig openssh-3.6.1p1.orig/sshconnect1.c openssh-3.6.1p1/sshconnect1.c
--- openssh-3.6.1p1.orig/sshconnect1.c 2002-08-20 22:41:16 +0400
+++ openssh-3.6.1p1/sshconnect1.c 2003-04-11 19:52:23 +0400
@@ -957,7 +957,7 @@ ssh_kex(char *host, struct sockaddr *hos
BIGNUM *key;
Key *host_key, *server_key;
int bits, rbits;
- int ssh_cipher_default = SSH_CIPHER_3DES;
+ int ssh_cipher_default = SSH_CIPHER_BLOWFISH;
u_char session_key[SSH_SESSION_KEY_LENGTH];
u_char cookie[8];
u_int supported_ciphers;
diff -uprk.orig openssh-3.6.1p1.orig/sshd.c openssh-3.6.1p1/sshd.c
--- openssh-3.6.1p1.orig/sshd.c 2003-04-11 19:52:08 +0400
+++ openssh-3.6.1p1/sshd.c 2003-04-11 19:52:23 +0400
@@ -786,6 +786,7 @@ usage(void)
fprintf(stderr, " -d Debugging mode (multiple -d means more debugging)\n");
fprintf(stderr, " -i Started from inetd\n");
fprintf(stderr, " -D Do not fork into daemon mode\n");
+ fprintf(stderr, " -e Send output to standard error\n");
fprintf(stderr, " -t Only test configuration file and keys\n");
fprintf(stderr, " -q Quiet (no logging)\n");
fprintf(stderr, " -p port Listen on the specified port (default: 22)\n");
diff -uprk.orig openssh-3.6.1p1.orig/sshd_config openssh-3.6.1p1/sshd_config
--- openssh-3.6.1p1.orig/sshd_config 2002-09-27 07:21:58 +0400
+++ openssh-3.6.1p1/sshd_config 2003-04-11 23:12:49 +0400
@@ -33,11 +33,12 @@
# Authentication:
#LoginGraceTime 120
-#PermitRootLogin yes
+#PermitRootLogin no
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
+#AuthorizedKeysSystemFile /etc/openssh/authorized_keys/%u
#AuthorizedKeysFile .ssh/authorized_keys
# rhosts authentication should not be used
@@ -46,18 +47,18 @@
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
-# similar for protocol version 2
+# Similar to RhostsRSAAuthentication, for protocol version 2
#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
+# Change to no if you trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
-#IgnoreUserKnownHosts no
+#IgnoreUserKnownHosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
-# Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
+# Change to yes to enable s/key passwords
+#ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
@@ -73,7 +74,7 @@
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt no
-#X11Forwarding no
+#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
@@ -84,10 +85,10 @@
#PermitUserEnvironment no
#Compression yes
-#MaxStartups 10
-# no default banner path
-#Banner /some/path
+#MaxStartups 10:30:20
+# There's no default banner path
+#Banner /etc/issue.net
#UseDNS yes
-# override default of no subsystems
-Subsystem sftp /usr/libexec/sftp-server
+# Uncomment this if you want to enable sftp
+#Subsystem sftp /usr/lib/openssh/sftp-server
diff -uprk.orig openssh-3.6.1p1.orig/sshd_config.5 openssh-3.6.1p1/sshd_config.5
--- openssh-3.6.1p1.orig/sshd_config.5 2003-04-11 19:52:08 +0400
+++ openssh-3.6.1p1/sshd_config.5 2003-04-11 23:18:00 +0400
@@ -154,7 +154,7 @@ Multiple ciphers must be comma-separated
The default is
.Pp
.Bd -literal
- ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
+ ``blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc''
.Ed
.It Cm ClientAliveInterval
@@ -297,7 +297,7 @@ during
or
.Cm HostbasedAuthentication .
The default is
-.Dq no .
+.Dq yes .
.It Cm KeepAlive
Specifies whether the system should send TCP keepalive messages to the
other side.
@@ -464,7 +464,7 @@ The argument must be
or
.Dq no .
The default is
-.Dq yes .
+.Dq no .
.Pp
If this option is set to
.Dq without-password
@@ -655,7 +655,7 @@ The argument must be
or
.Dq no .
The default is
-.Dq no .
+.Dq yes .
.Pp
When X11 forwarding is enabled, there may be additional exposure to
the server and to client displays if the
diff -uprk.orig openssh-3.6.1p1.orig/ssh-keygen.1 openssh-3.6.1p1/ssh-keygen.1
--- openssh-3.6.1p1.orig/ssh-keygen.1 2003-04-01 15:42:14 +0400
+++ openssh-3.6.1p1/ssh-keygen.1 2003-04-11 22:11:18 +0400
@@ -149,8 +149,8 @@ The options are as follows:
.It Fl b Ar bits
Specifies the number of bits in the key to create.
Minimum is 512 bits.
-Generally, 1024 bits is considered sufficient.
-The default is 1024 bits.
+Generally, 2048 bits is considered sufficient.
+The default is 2048 bits.
.It Fl c
Requests changing the comment in the private and public key files.
This operation is only supported for RSA1 keys.
diff -uprk.orig openssh-3.6.1p1.orig/ssh-keygen.c openssh-3.6.1p1/ssh-keygen.c
--- openssh-3.6.1p1.orig/ssh-keygen.c 2002-12-23 05:11:03 +0300
+++ openssh-3.6.1p1/ssh-keygen.c 2003-04-11 19:53:55 +0400
@@ -33,7 +33,7 @@ RCSID("$OpenBSD: ssh-keygen.c,v 1.102 20
#endif
/* Number of bits in the RSA/DSA key. This value can be changed on the command line. */
-int bits = 1024;
+int bits = 2048;
/*
* Flag indicating that we just want to change the passphrase. This can be