diff options
author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:02 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-12-28 20:05:06 +0000 |
commit | 46602f789c947e6af524d0b4c9774faf3dd073d0 (patch) | |
tree | 894e50a90f4d977a0c237137439328151b474209 | |
parent | 6ba1a4137b4cf1418e2b756f1abae3cc549961ea (diff) |
Quieten logs when multiple from= restrictions are used
Bug-Debian: http://bugs.debian.org/630606
Forwarded: no
Last-Update: 2013-09-14
Patch-Name: auth-log-verbosity.patch
-rw-r--r-- | auth-options.c | 35 | ||||
-rw-r--r-- | auth-options.h | 1 | ||||
-rw-r--r-- | auth2-pubkey.c | 3 |
3 files changed, 30 insertions, 9 deletions
diff --git a/auth-options.c b/auth-options.c index 57b49f7fd..7eb87b352 100644 --- a/auth-options.c +++ b/auth-options.c | |||
@@ -59,9 +59,20 @@ int forced_tun_device = -1; | |||
59 | /* "principals=" option. */ | 59 | /* "principals=" option. */ |
60 | char *authorized_principals = NULL; | 60 | char *authorized_principals = NULL; |
61 | 61 | ||
62 | /* Throttle log messages. */ | ||
63 | int logged_from_hostip = 0; | ||
64 | int logged_cert_hostip = 0; | ||
65 | |||
62 | extern ServerOptions options; | 66 | extern ServerOptions options; |
63 | 67 | ||
64 | void | 68 | void |
69 | auth_start_parse_options(void) | ||
70 | { | ||
71 | logged_from_hostip = 0; | ||
72 | logged_cert_hostip = 0; | ||
73 | } | ||
74 | |||
75 | void | ||
65 | auth_clear_options(void) | 76 | auth_clear_options(void) |
66 | { | 77 | { |
67 | no_agent_forwarding_flag = 0; | 78 | no_agent_forwarding_flag = 0; |
@@ -316,10 +327,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
316 | /* FALLTHROUGH */ | 327 | /* FALLTHROUGH */ |
317 | case 0: | 328 | case 0: |
318 | free(patterns); | 329 | free(patterns); |
319 | logit("Authentication tried for %.100s with " | 330 | if (!logged_from_hostip) { |
320 | "correct key but not from a permitted " | 331 | logit("Authentication tried for %.100s with " |
321 | "host (host=%.200s, ip=%.200s).", | 332 | "correct key but not from a permitted " |
322 | pw->pw_name, remote_host, remote_ip); | 333 | "host (host=%.200s, ip=%.200s).", |
334 | pw->pw_name, remote_host, remote_ip); | ||
335 | logged_from_hostip = 1; | ||
336 | } | ||
323 | auth_debug_add("Your host '%.200s' is not " | 337 | auth_debug_add("Your host '%.200s' is not " |
324 | "permitted to use this key for login.", | 338 | "permitted to use this key for login.", |
325 | remote_host); | 339 | remote_host); |
@@ -543,11 +557,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, | |||
543 | break; | 557 | break; |
544 | case 0: | 558 | case 0: |
545 | /* no match */ | 559 | /* no match */ |
546 | logit("Authentication tried for %.100s " | 560 | if (!logged_cert_hostip) { |
547 | "with valid certificate but not " | 561 | logit("Authentication tried for %.100s " |
548 | "from a permitted host " | 562 | "with valid certificate but not " |
549 | "(ip=%.200s).", pw->pw_name, | 563 | "from a permitted host " |
550 | remote_ip); | 564 | "(ip=%.200s).", pw->pw_name, |
565 | remote_ip); | ||
566 | logged_cert_hostip = 1; | ||
567 | } | ||
551 | auth_debug_add("Your address '%.200s' " | 568 | auth_debug_add("Your address '%.200s' " |
552 | "is not permitted to use this " | 569 | "is not permitted to use this " |
553 | "certificate for login.", | 570 | "certificate for login.", |
diff --git a/auth-options.h b/auth-options.h index 52cbb42aa..823552761 100644 --- a/auth-options.h +++ b/auth-options.h | |||
@@ -33,6 +33,7 @@ extern int forced_tun_device; | |||
33 | extern int key_is_cert_authority; | 33 | extern int key_is_cert_authority; |
34 | extern char *authorized_principals; | 34 | extern char *authorized_principals; |
35 | 35 | ||
36 | void auth_start_parse_options(void); | ||
36 | int auth_parse_options(struct passwd *, char *, char *, u_long); | 37 | int auth_parse_options(struct passwd *, char *, char *, u_long); |
37 | void auth_clear_options(void); | 38 | void auth_clear_options(void); |
38 | int auth_cert_options(struct sshkey *, struct passwd *, const char **); | 39 | int auth_cert_options(struct sshkey *, struct passwd *, const char **); |
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 20f3309e1..add77136e 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -566,6 +566,7 @@ process_principals(FILE *f, char *file, struct passwd *pw, | |||
566 | u_long linenum = 0; | 566 | u_long linenum = 0; |
567 | u_int i; | 567 | u_int i; |
568 | 568 | ||
569 | auth_start_parse_options(); | ||
569 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 570 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
570 | /* Skip leading whitespace. */ | 571 | /* Skip leading whitespace. */ |
571 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) | 572 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) |
@@ -764,6 +765,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) | |||
764 | found_key = 0; | 765 | found_key = 0; |
765 | 766 | ||
766 | found = NULL; | 767 | found = NULL; |
768 | auth_start_parse_options(); | ||
767 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 769 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
768 | char *cp, *key_options = NULL, *fp = NULL; | 770 | char *cp, *key_options = NULL, *fp = NULL; |
769 | const char *reason = NULL; | 771 | const char *reason = NULL; |
@@ -911,6 +913,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) | |||
911 | if (key_cert_check_authority(key, 0, 1, | 913 | if (key_cert_check_authority(key, 0, 1, |
912 | use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) | 914 | use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) |
913 | goto fail_reason; | 915 | goto fail_reason; |
916 | auth_start_parse_options(); | ||
914 | if (auth_cert_options(key, pw, &reason) != 0) | 917 | if (auth_cert_options(key, pw, &reason) != 0) |
915 | goto fail_reason; | 918 | goto fail_reason; |
916 | 919 | ||