diff options
author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:02 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-02-10 02:40:16 +0000 |
commit | 493e37552aa05b38cf69b5f1bc4b717fd4a1a285 (patch) | |
tree | 55a5069fc3f592a2fc4d256af6e23303e73dc340 | |
parent | a3e8cef2bae563fe8c87cf9f32511a0808dd47eb (diff) |
Quieten logs when multiple from= restrictions are used
Bug-Debian: http://bugs.debian.org/630606
Forwarded: no
Last-Update: 2013-09-14
Patch-Name: auth-log-verbosity.patch
-rw-r--r-- | auth-options.c | 35 | ||||
-rw-r--r-- | auth-options.h | 1 | ||||
-rw-r--r-- | auth-rsa.c | 2 | ||||
-rw-r--r-- | auth2-pubkey.c | 3 |
4 files changed, 32 insertions, 9 deletions
diff --git a/auth-options.c b/auth-options.c index fa209eaab..df6133037 100644 --- a/auth-options.c +++ b/auth-options.c | |||
@@ -54,9 +54,20 @@ int forced_tun_device = -1; | |||
54 | /* "principals=" option. */ | 54 | /* "principals=" option. */ |
55 | char *authorized_principals = NULL; | 55 | char *authorized_principals = NULL; |
56 | 56 | ||
57 | /* Throttle log messages. */ | ||
58 | int logged_from_hostip = 0; | ||
59 | int logged_cert_hostip = 0; | ||
60 | |||
57 | extern ServerOptions options; | 61 | extern ServerOptions options; |
58 | 62 | ||
59 | void | 63 | void |
64 | auth_start_parse_options(void) | ||
65 | { | ||
66 | logged_from_hostip = 0; | ||
67 | logged_cert_hostip = 0; | ||
68 | } | ||
69 | |||
70 | void | ||
60 | auth_clear_options(void) | 71 | auth_clear_options(void) |
61 | { | 72 | { |
62 | no_agent_forwarding_flag = 0; | 73 | no_agent_forwarding_flag = 0; |
@@ -284,10 +295,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
284 | /* FALLTHROUGH */ | 295 | /* FALLTHROUGH */ |
285 | case 0: | 296 | case 0: |
286 | free(patterns); | 297 | free(patterns); |
287 | logit("Authentication tried for %.100s with " | 298 | if (!logged_from_hostip) { |
288 | "correct key but not from a permitted " | 299 | logit("Authentication tried for %.100s with " |
289 | "host (host=%.200s, ip=%.200s).", | 300 | "correct key but not from a permitted " |
290 | pw->pw_name, remote_host, remote_ip); | 301 | "host (host=%.200s, ip=%.200s).", |
302 | pw->pw_name, remote_host, remote_ip); | ||
303 | logged_from_hostip = 1; | ||
304 | } | ||
291 | auth_debug_add("Your host '%.200s' is not " | 305 | auth_debug_add("Your host '%.200s' is not " |
292 | "permitted to use this key for login.", | 306 | "permitted to use this key for login.", |
293 | remote_host); | 307 | remote_host); |
@@ -510,11 +524,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, | |||
510 | break; | 524 | break; |
511 | case 0: | 525 | case 0: |
512 | /* no match */ | 526 | /* no match */ |
513 | logit("Authentication tried for %.100s " | 527 | if (!logged_cert_hostip) { |
514 | "with valid certificate but not " | 528 | logit("Authentication tried for %.100s " |
515 | "from a permitted host " | 529 | "with valid certificate but not " |
516 | "(ip=%.200s).", pw->pw_name, | 530 | "from a permitted host " |
517 | remote_ip); | 531 | "(ip=%.200s).", pw->pw_name, |
532 | remote_ip); | ||
533 | logged_cert_hostip = 1; | ||
534 | } | ||
518 | auth_debug_add("Your address '%.200s' " | 535 | auth_debug_add("Your address '%.200s' " |
519 | "is not permitted to use this " | 536 | "is not permitted to use this " |
520 | "certificate for login.", | 537 | "certificate for login.", |
diff --git a/auth-options.h b/auth-options.h index 7455c9454..a3f0a02da 100644 --- a/auth-options.h +++ b/auth-options.h | |||
@@ -33,6 +33,7 @@ extern int forced_tun_device; | |||
33 | extern int key_is_cert_authority; | 33 | extern int key_is_cert_authority; |
34 | extern char *authorized_principals; | 34 | extern char *authorized_principals; |
35 | 35 | ||
36 | void auth_start_parse_options(void); | ||
36 | int auth_parse_options(struct passwd *, char *, char *, u_long); | 37 | int auth_parse_options(struct passwd *, char *, char *, u_long); |
37 | void auth_clear_options(void); | 38 | void auth_clear_options(void); |
38 | int auth_cert_options(Key *, struct passwd *); | 39 | int auth_cert_options(Key *, struct passwd *); |
diff --git a/auth-rsa.c b/auth-rsa.c index 545aa496a..4624c1597 100644 --- a/auth-rsa.c +++ b/auth-rsa.c | |||
@@ -174,6 +174,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, | |||
174 | if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) | 174 | if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) |
175 | return 0; | 175 | return 0; |
176 | 176 | ||
177 | auth_start_parse_options(); | ||
178 | |||
177 | /* | 179 | /* |
178 | * Go though the accepted keys, looking for the current key. If | 180 | * Go though the accepted keys, looking for the current key. If |
179 | * found, perform a challenge-response dialog to verify that the | 181 | * found, perform a challenge-response dialog to verify that the |
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 0fd27bb92..7c5692750 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -263,6 +263,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert) | |||
263 | restore_uid(); | 263 | restore_uid(); |
264 | return 0; | 264 | return 0; |
265 | } | 265 | } |
266 | auth_start_parse_options(); | ||
266 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 267 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
267 | /* Skip leading whitespace. */ | 268 | /* Skip leading whitespace. */ |
268 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) | 269 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) |
@@ -324,6 +325,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) | |||
324 | found_key = 0; | 325 | found_key = 0; |
325 | 326 | ||
326 | found = NULL; | 327 | found = NULL; |
328 | auth_start_parse_options(); | ||
327 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 329 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
328 | char *cp, *key_options = NULL; | 330 | char *cp, *key_options = NULL; |
329 | if (found != NULL) | 331 | if (found != NULL) |
@@ -459,6 +461,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) | |||
459 | if (key_cert_check_authority(key, 0, 1, | 461 | if (key_cert_check_authority(key, 0, 1, |
460 | principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) | 462 | principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) |
461 | goto fail_reason; | 463 | goto fail_reason; |
464 | auth_start_parse_options(); | ||
462 | if (auth_cert_options(key, pw) != 0) | 465 | if (auth_cert_options(key, pw) != 0) |
463 | goto out; | 466 | goto out; |
464 | 467 | ||