summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:10:02 +0000
committerColin Watson <cjwatson@debian.org>2015-09-17 13:52:40 +0100
commit6094c895d27a24a4975ff768c3009fd93bb699dd (patch)
treefd8293da7fe46ec2db791f1f606c1a3891e8b0f1
parent0b7d8f80872624024fad8132ffc3b0d0c1ba7224 (diff)
Quieten logs when multiple from= restrictions are used
Bug-Debian: http://bugs.debian.org/630606 Forwarded: no Last-Update: 2013-09-14 Patch-Name: auth-log-verbosity.patch
-rw-r--r--auth-options.c35
-rw-r--r--auth-options.h1
-rw-r--r--auth-rsa.c2
-rw-r--r--auth2-pubkey.c3
4 files changed, 32 insertions, 9 deletions
diff --git a/auth-options.c b/auth-options.c
index facfc025b..9ab1880d9 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -58,9 +58,20 @@ int forced_tun_device = -1;
58/* "principals=" option. */ 58/* "principals=" option. */
59char *authorized_principals = NULL; 59char *authorized_principals = NULL;
60 60
61/* Throttle log messages. */
62int logged_from_hostip = 0;
63int logged_cert_hostip = 0;
64
61extern ServerOptions options; 65extern ServerOptions options;
62 66
63void 67void
68auth_start_parse_options(void)
69{
70 logged_from_hostip = 0;
71 logged_cert_hostip = 0;
72}
73
74void
64auth_clear_options(void) 75auth_clear_options(void)
65{ 76{
66 no_agent_forwarding_flag = 0; 77 no_agent_forwarding_flag = 0;
@@ -293,10 +304,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
293 /* FALLTHROUGH */ 304 /* FALLTHROUGH */
294 case 0: 305 case 0:
295 free(patterns); 306 free(patterns);
296 logit("Authentication tried for %.100s with " 307 if (!logged_from_hostip) {
297 "correct key but not from a permitted " 308 logit("Authentication tried for %.100s with "
298 "host (host=%.200s, ip=%.200s).", 309 "correct key but not from a permitted "
299 pw->pw_name, remote_host, remote_ip); 310 "host (host=%.200s, ip=%.200s).",
311 pw->pw_name, remote_host, remote_ip);
312 logged_from_hostip = 1;
313 }
300 auth_debug_add("Your host '%.200s' is not " 314 auth_debug_add("Your host '%.200s' is not "
301 "permitted to use this key for login.", 315 "permitted to use this key for login.",
302 remote_host); 316 remote_host);
@@ -519,11 +533,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
519 break; 533 break;
520 case 0: 534 case 0:
521 /* no match */ 535 /* no match */
522 logit("Authentication tried for %.100s " 536 if (!logged_cert_hostip) {
523 "with valid certificate but not " 537 logit("Authentication tried for %.100s "
524 "from a permitted host " 538 "with valid certificate but not "
525 "(ip=%.200s).", pw->pw_name, 539 "from a permitted host "
526 remote_ip); 540 "(ip=%.200s).", pw->pw_name,
541 remote_ip);
542 logged_cert_hostip = 1;
543 }
527 auth_debug_add("Your address '%.200s' " 544 auth_debug_add("Your address '%.200s' "
528 "is not permitted to use this " 545 "is not permitted to use this "
529 "certificate for login.", 546 "certificate for login.",
diff --git a/auth-options.h b/auth-options.h
index 34852e5c0..1653855ee 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -33,6 +33,7 @@ extern int forced_tun_device;
33extern int key_is_cert_authority; 33extern int key_is_cert_authority;
34extern char *authorized_principals; 34extern char *authorized_principals;
35 35
36void auth_start_parse_options(void);
36int auth_parse_options(struct passwd *, char *, char *, u_long); 37int auth_parse_options(struct passwd *, char *, char *, u_long);
37void auth_clear_options(void); 38void auth_clear_options(void);
38int auth_cert_options(struct sshkey *, struct passwd *); 39int auth_cert_options(struct sshkey *, struct passwd *);
diff --git a/auth-rsa.c b/auth-rsa.c
index cbd971be1..4cf2163c7 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -181,6 +181,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
181 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) 181 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
182 return 0; 182 return 0;
183 183
184 auth_start_parse_options();
185
184 /* 186 /*
185 * Go though the accepted keys, looking for the current key. If 187 * Go though the accepted keys, looking for the current key. If
186 * found, perform a challenge-response dialog to verify that the 188 * found, perform a challenge-response dialog to verify that the
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 5aa319ccc..1eee16168 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -561,6 +561,7 @@ process_principals(FILE *f, char *file, struct passwd *pw,
561 u_long linenum = 0; 561 u_long linenum = 0;
562 u_int i; 562 u_int i;
563 563
564 auth_start_parse_options();
564 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 565 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
565 /* Skip leading whitespace. */ 566 /* Skip leading whitespace. */
566 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 567 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@@ -726,6 +727,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
726 found_key = 0; 727 found_key = 0;
727 728
728 found = NULL; 729 found = NULL;
730 auth_start_parse_options();
729 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 731 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
730 char *cp, *key_options = NULL; 732 char *cp, *key_options = NULL;
731 if (found != NULL) 733 if (found != NULL)
@@ -872,6 +874,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
872 if (key_cert_check_authority(key, 0, 1, 874 if (key_cert_check_authority(key, 0, 1,
873 use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) 875 use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
874 goto fail_reason; 876 goto fail_reason;
877 auth_start_parse_options();
875 if (auth_cert_options(key, pw) != 0) 878 if (auth_cert_options(key, pw) != 0)
876 goto out; 879 goto out;
877 880