In the meantime (while things are being worked and decided on on the

OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via
running the system out of resources.  In reality, this wouldn't
be a full DoS, but would make a system slower, but this is a better
thing to do than let the system get loaded down.
   So here we are, rate-limiting.  The default settings are now:
Five connections are allowed to authenticate (and not be rejected) in
a period of ten seconds.
One minute is given for login grace time.
   More work in this area is being done by alfred@FreeBSD.org and
markus@OpenBSD.org, at the very least.  This is, essentially, a
stopgap solution;  however, it is a properly implemented and documented
one, and has an easily modifiable framework.

5 files changed, 328 insertions, 22 deletions

diff --git a/security/openssh/Makefile b/security/openssh/Makefile
index 9459fcb..a30fbd5 100644
--- a/security/openssh/Makefile
+++ b/security/openssh/Makefile
@@ -118,9 +118,9 @@ do-extract:
 	@${CP} ${FILESDIR}/pam_ssh.c ${WRKSRC}/pam_ssh/
 
 post-patch:
-	@${PERL} -pi.orig -e 's:__PREFIX__:${PREFIX}:g' ${WRKSRC}/ssh.h \
+	@${PERL} -pi -e 's:__PREFIX__:${PREFIX}:g' ${WRKSRC}/ssh.h \
 		${WRKSRC}/sshd_config ${WRKSRC}/pam_ssh/pam_ssh.c
-	@${PERL} -pi.openssl -e \
+	@${PERL} -pi -e \
 	    's:^(\s*#\s*include\s+<)ssl(/\w+\.h>\s*)$$:$$1openssl$$2:g' \
 	    ${WRKSRC}/*.[ch]
 
diff --git a/security/openssh/files/patch-an b/security/openssh/files/patch-an
index 9110383..c102d36 100644
--- a/security/openssh/files/patch-an
+++ b/security/openssh/files/patch-an
@@ -1,6 +1,14 @@
 --- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/sshd.c	Sun Nov 28 16:50:26 1999
-+++ sshd.c	Sun Nov 28 17:22:27 1999
-@@ -32,6 +32,16 @@
++++ sshd.c	Mon Dec  6 00:54:51 1999
+@@ -24,6 +24,7 @@
+ #include "servconf.h"
+ #include "uidswap.h"
+ #include "compat.h"
++#include <time.h>
+ 
+ #ifdef LIBWRAP
+ #include <tcpd.h>
+@@ -32,6 +33,16 @@
  int deny_severity = LOG_WARNING;
  #endif /* LIBWRAP */
  
@@ -17,7 +25,108 @@
  #ifndef O_NOCTTY
  #define O_NOCTTY	0
  #endif
-@@ -1048,6 +1058,14 @@
+@@ -118,6 +129,32 @@
+    the private key. */
+ RSA *public_key;
+ 
++/* These are used to implement connections_per_period. */
++struct magic_connection {
++		struct timeval connections_begin;
++		unsigned int connections_this_period;
++} *magic_connections;
++/* Magic number, too!  TODO: this doesn't have to be static. */
++const size_t MAGIC_CONNECTIONS_SIZE = 1;
++
++static __inline int
++magic_hash(struct sockaddr_in *sin) {
++
++	return 0;
++}
++
++static __inline struct timeval
++timevaldiff(struct timeval *tv1, struct timeval *tv2) {
++	struct timeval diff;
++	int carry;
++
++	carry = tv1->tv_usec > tv2->tv_usec;
++	diff.tv_sec = tv2->tv_sec - tv1->tv_sec - (carry ? 0 : 1);
++	diff.tv_usec = tv2->tv_usec - tv1->tv_usec + (carry ? 1000000 : 0);
++
++	return diff;
++}
++
+ /* Prototypes for various functions defined later in this file. */
+ void do_connection();
+ void do_authentication(char *user);
+@@ -278,6 +315,7 @@
+ 	extern char *optarg;
+ 	extern int optind;
+ 	int opt, aux, sock_in, sock_out, newsock, i, pid, on = 1;
++	int connections_per_period_exceeded = 0;
+ 	int remote_major, remote_minor;
+ 	int silentrsa = 0;
+ 	struct sockaddr_in sin;
+@@ -542,6 +580,12 @@
+ 		/* Arrange SIGCHLD to be caught. */
+ 		signal(SIGCHLD, main_sigchld_handler);
+ 
++		/* Initialize the magic_connections table.  It's magical! */
++		magic_connections = calloc(MAGIC_CONNECTIONS_SIZE,
++		    sizeof(struct magic_connection));
++		if (magic_connections == NULL)
++			fatal("calloc: %s", strerror(errno));
++
+ 		/*
+ 		 * Stay listening for connections until the system crashes or
+ 		 * the daemon is killed with a signal.
+@@ -560,9 +604,31 @@
+ 				error("accept: %.100s", strerror(errno));
+ 				continue;
+ 			}
++			if (options.connections_per_period != 0) {
++				struct timeval diff, connections_end;
++				struct magic_connection *mc;
++
++				(void)gettimeofday(&connections_end, NULL);
++				mc = &magic_connections[magic_hash(&sin)];
++				diff = timevaldiff(&mc->connections_begin, &connections_end);
++				if (diff.tv_sec >= options.connections_period) {
++					/*
++					 * Slide the window forward only after completely
++					 * leaving it.
++					 */
++					mc->connections_begin = connections_end;
++					mc->connections_this_period = 1;
++				} else {
++					if (++mc->connections_this_period >
++					    options.connections_per_period)
++						connections_per_period_exceeded = 1;
++				}
++			}
++					
+ 			/*
+-			 * Got connection.  Fork a child to handle it, unless
+-			 * we are in debugging mode.
++			 * Got connection.  Fork a child to handle it unless
++			 * we are in debugging mode or the maximum number of
++			 * connections per period has been exceeded.
+ 			 */
+ 			if (debug_flag) {
+ 				/*
+@@ -576,6 +642,12 @@
+ 				sock_out = newsock;
+ 				pid = getpid();
+ 				break;
++			} else if (connections_per_period_exceeded) {
++				log("Connection rate limit of %u/%us has been exceeded; "
++				    "dropping connection from %s.",
++				    options.connections_per_period, options.connections_period,
++				    inet_ntoa(sin.sin_addr));
++				connections_per_period_exceeded = 0;
+ 			} else {
+ 				/*
+ 				 * Normal production daemon.  Fork, and have
+@@ -1048,6 +1120,14 @@
  				return 0;
  		}
  	}
@@ -32,7 +141,7 @@
  	/* We found no reason not to let this user try to log on... */
  	return 1;
  }
-@@ -1083,6 +1101,9 @@
+@@ -1083,6 +1163,9 @@
  	pwcopy.pw_gid = pw->pw_gid;
  	pwcopy.pw_dir = xstrdup(pw->pw_dir);
  	pwcopy.pw_shell = xstrdup(pw->pw_shell);
@@ -42,7 +151,7 @@
  	pw = &pwcopy;
  
  	/*
-@@ -1871,6 +1892,10 @@
+@@ -1871,6 +1954,10 @@
  	struct sockaddr_in from;
  	int fromlen;
  	struct pty_cleanup_context cleanup_context;
@@ -53,7 +162,7 @@
  
  	/* Get remote host name. */
  	hostname = get_canonical_hostname();
-@@ -1935,6 +1960,12 @@
+@@ -1935,6 +2022,12 @@
  		/* Check if .hushlogin exists. */
  		snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir);
  		quiet_login = stat(line, &st) >= 0;
@@ -66,7 +175,7 @@
  
  		/*
  		 * If the user has logged in before, display the time of last
-@@ -1958,6 +1989,20 @@
+@@ -1958,6 +2051,20 @@
  			else
  				printf("Last login: %s from %s\r\n", time_string, buf);
  		}
@@ -87,7 +196,7 @@
  		/*
  		 * Print /etc/motd unless a command was specified or printing
  		 * it was disabled in server options or login(1) will be
-@@ -1966,14 +2011,22 @@
+@@ -1966,14 +2073,22 @@
  		 */
  		if (command == NULL && options.print_motd && !quiet_login &&
  		    !options.use_login) {
@@ -111,7 +220,17 @@
  		/* Do common processing for the child, such as execing the command. */
  		do_child(command, pw, term, display, auth_proto, auth_data, ttyname);
  		/* NOTREACHED */
-@@ -2117,15 +2170,34 @@
+@@ -2109,7 +2224,8 @@
+ 	 const char *display, const char *auth_proto,
+ 	 const char *auth_data, const char *ttyname)
+ {
+-	const char *shell, *cp = NULL;
++	char *shell;
++	const char *cp = NULL;
+ 	char buf[256];
+ 	FILE *f;
+ 	unsigned int envsize, i;
+@@ -2117,15 +2233,34 @@
  	extern char **environ;
  	struct stat st;
  	char *argv[10];
@@ -151,7 +270,7 @@
  	}
  	/* Set login name in the kernel. */
  	if (setlogin(pw->pw_name) < 0)
-@@ -2135,6 +2207,13 @@
+@@ -2135,6 +2270,13 @@
  	/* Login(1) does this as well, and it needs uid 0 for the "-h"
  	   switch, so we let login(1) to this for us. */
  	if (!options.use_login) {
@@ -165,7 +284,7 @@
  		if (getuid() == 0 || geteuid() == 0) {
  			if (setgid(pw->pw_gid) < 0) {
  				perror("setgid");
-@@ -2157,7 +2236,14 @@
+@@ -2157,7 +2299,14 @@
  	 * Get the shell from the password data.  An empty shell field is
  	 * legal, and means /bin/sh.
  	 */
@@ -180,7 +299,7 @@
  
  #ifdef AFS
  	/* Try to get AFS tokens for the local cell. */
-@@ -2181,7 +2267,12 @@
+@@ -2181,7 +2330,12 @@
  		child_set_env(&env, &envsize, "USER", pw->pw_name);
  		child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
  		child_set_env(&env, &envsize, "HOME", pw->pw_dir);
@@ -193,7 +312,7 @@
  
  		snprintf(buf, sizeof buf, "%.200s/%.50s",
  			 _PATH_MAILDIR, pw->pw_name);
-@@ -2271,6 +2362,9 @@
+@@ -2271,6 +2425,9 @@
  	 */
  	endpwent();
  	endhostent();
@@ -203,7 +322,7 @@
  
  	/*
  	 * Close any extra open file descriptors so that we don\'t have them
-@@ -2278,7 +2372,7 @@
+@@ -2278,7 +2435,7 @@
  	 * initgroups, because at least on Solaris 2.3 it leaves file
  	 * descriptors open.
  	 */
@@ -212,7 +331,7 @@
  		close(i);
  
  	/* Change current directory to the user\'s home directory. */
-@@ -2297,6 +2391,26 @@
+@@ -2297,6 +2454,26 @@
  	 * in this order).
  	 */
  	if (!options.use_login) {
diff --git a/security/openssh/files/patch-ao b/security/openssh/files/patch-ao
index 3e8278e..7ca746e 100644
--- a/security/openssh/files/patch-ao
+++ b/security/openssh/files/patch-ao
@@ -1,6 +1,6 @@
 --- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/sshd_config	Thu Nov 11 17:58:39 1999
-+++ ./sshd_config	Tue Nov 23 19:31:58 1999
-@@ -3,11 +3,11 @@
++++ sshd_config	Sun Dec  5 13:37:20 1999
+@@ -2,12 +2,13 @@
  
  Port 22
  ListenAddress 0.0.0.0
@@ -8,10 +8,13 @@
 +HostKey __PREFIX__/etc/ssh_host_key
  ServerKeyBits 768
 -LoginGraceTime 600
-+LoginGraceTime 30
++LoginGraceTime 60
  KeyRegenerationInterval 3600
 -PermitRootLogin yes
-+PermitRootLogin no 
- #
+-#
++PermitRootLogin no
++# Rate-limit sshd connections to 5 connections per 10 seconds
++ConnectionsPerPeriod 5/10
  # Don't read ~/.rhosts and ~/.shosts files
  IgnoreRhosts yes
+ # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
diff --git a/security/openssh/files/patch-ap b/security/openssh/files/patch-ap
new file mode 100644
index 0000000..101b456
--- /dev/null
+++ b/security/openssh/files/patch-ap
@@ -0,0 +1,138 @@
+--- servconf.c.orig	Sun Dec  5 01:48:12 1999
++++ servconf.c	Sun Dec  5 01:57:57 1999
+@@ -63,6 +63,8 @@
+ 	options->num_deny_users = 0;
+ 	options->num_allow_groups = 0;
+ 	options->num_deny_groups = 0;
++	options->connections_per_period = 0;
++	options->connections_period = 0;
+ }
+ 
+ void 
+@@ -161,7 +163,7 @@
+ 	sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
+ 	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
+ 	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
+-	sIgnoreUserKnownHosts
++	sIgnoreUserKnownHosts, sConnectionsPerPeriod
+ } ServerOpCodes;
+ 
+ /* Textual representation of the tokens. */
+@@ -209,6 +211,7 @@
+ 	{ "denyusers", sDenyUsers },
+ 	{ "allowgroups", sAllowGroups },
+ 	{ "denygroups", sDenyGroups },
++	{ "connectionsperperiod", sConnectionsPerPeriod },
+ 	{ NULL, 0 }
+ };
+ 
+@@ -270,7 +273,11 @@
+ 					filename, linenum);
+ 				exit(1);
+ 			}
+-			value = atoi(cp);
++			if (sscanf(cp, " %d ", &value) != 1) {
++				fprintf(stderr, "%s line %d: invalid integer value.\n",
++					filename, linenum);
++				exit(1);
++			}
+ 			if (*intptr == -1)
+ 				*intptr = value;
+ 			break;
+@@ -466,63 +473,65 @@
+ 
+ 		case sAllowUsers:
+ 			while ((cp = strtok(NULL, WHITESPACE))) {
+-				if (options->num_allow_users >= MAX_ALLOW_USERS) {
+-					fprintf(stderr, "%s line %d: too many allow users.\n",
+-						filename, linenum);
+-					exit(1);
+-				}
++				if (options->num_allow_users >= MAX_ALLOW_USERS)
++					fatal("%.200s line %d: too many allow users.\n", filename,
++					    linenum);
+ 				options->allow_users[options->num_allow_users++] = xstrdup(cp);
+ 			}
+ 			break;
+ 
+ 		case sDenyUsers:
+ 			while ((cp = strtok(NULL, WHITESPACE))) {
+-				if (options->num_deny_users >= MAX_DENY_USERS) {
+-					fprintf(stderr, "%s line %d: too many deny users.\n",
+-						filename, linenum);
+-					exit(1);
+-				}
++				if (options->num_deny_users >= MAX_DENY_USERS)
++					fatal("%.200s line %d: too many deny users.\n", filename,
++					    linenum);
+ 				options->deny_users[options->num_deny_users++] = xstrdup(cp);
+ 			}
+ 			break;
+ 
+ 		case sAllowGroups:
+ 			while ((cp = strtok(NULL, WHITESPACE))) {
+-				if (options->num_allow_groups >= MAX_ALLOW_GROUPS) {
+-					fprintf(stderr, "%s line %d: too many allow groups.\n",
+-						filename, linenum);
+-					exit(1);
+-				}
++				if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
++					fatal("%.200s line %d: too many allow groups.\n", filename,
++					    linenum);
+ 				options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
+ 			}
+ 			break;
+ 
+ 		case sDenyGroups:
+ 			while ((cp = strtok(NULL, WHITESPACE))) {
+-				if (options->num_deny_groups >= MAX_DENY_GROUPS) {
+-					fprintf(stderr, "%s line %d: too many deny groups.\n",
+-						filename, linenum);
+-					exit(1);
+-				}
++				if (options->num_deny_groups >= MAX_DENY_GROUPS)
++					fatal("%.200s line %d: too many deny groups.\n", filename,
++					    linenum);
+ 				options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
+ 			}
+ 			break;
+ 
++		case sConnectionsPerPeriod:
++			cp = strtok(NULL, WHITESPACE);
++			if (cp == NULL)
++				fatal("%.200s line %d: missing (>= 0) number argument.\n",
++					filename, linenum);
++			if (sscanf(cp, " %u/%u ", &options->connections_per_period,
++			    &options->connections_period) != 2)
++				fatal("%.200s line %d: invalid numerical argument(s).\n",
++				    filename, linenum);
++			if (options->connections_per_period != 0 &&
++			    options->connections_period == 0)
++				fatal("%.200s line %d: invalid connections period.\n",
++				    filename, linenum);
++			break;
++
+ 		default:
+-			fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
++			fatal("%.200s line %d: Missing handler for opcode %s (%d)\n",
+ 				filename, linenum, cp, opcode);
+-			exit(1);
+-		}
+-		if (strtok(NULL, WHITESPACE) != NULL) {
+-			fprintf(stderr, "%s line %d: garbage at end of line.\n",
+-				filename, linenum);
+-			exit(1);
+ 		}
++		if (strtok(NULL, WHITESPACE) != NULL)
++			fatal("%.200s line %d: garbage at end of line.\n", filename,
++			    linenum);
+ 	}
+ 	fclose(f);
+-	if (bad_options > 0) {
+-		fprintf(stderr, "%s: terminating, %d bad configuration options\n",
++	if (bad_options > 0)
++		fatal("%.200s: terminating, %d bad configuration options\n",
+ 			filename, bad_options);
+-		exit(1);
+-	}
+ }
diff --git a/security/openssh/files/patch-ar b/security/openssh/files/patch-ar
new file mode 100644
index 0000000..2795e96
--- /dev/null
+++ b/security/openssh/files/patch-ar
@@ -0,0 +1,46 @@
+--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/sshd.8	Tue Nov 23 18:58:38 1999
++++ sshd.8	Sun Dec  5 22:59:58 1999
+@@ -220,6 +220,31 @@
+ should check for new mail for interactive logins.
+ The default is
+ .Dq no .
++.It Cm ConnectionsPerPeriod
++This keyword allows for rate-limiting of connections, and
++is followed by two numbers in the format
++.Dq n/s ,
++where
++.Ar n
++is the number of connections from a certain address group
++accepted per period of
++.Ar s
++seconds.  Any connection after the number
++.Ar n
++connection in the period of
++.Ar s
++seconds will be dropped, and an informational message will be logged.
++A connection will belong to a certain group, of which there are 13
++by default, according to its IP address.
++The default for this keyword is
++.Dq 0/0 ,
++and rate-limiting can be explicitly turned off by using an
++.Ar n
++parameter of
++.Ql 0
++and any
++.Ar s
++parameter.
+ .It Cm DenyGroups
+ This keyword can be followed by a number of group names, separated
+ by spaces.  Users whose primary group matches one of the patterns
+@@ -453,8 +478,9 @@
+ If the login is on a tty, records login time.
+ .It
+ Checks
+-.Pa /etc/nologin ;
+-if it exists, prints contents and quits
++.Pa /etc/nologin and
++.Pa /var/run/nologin ;
++if one exists, it prints the contents and quits
+ (unless root).
+ .It
+ Changes to run with normal user privileges.