diff options
author | Colin Watson <cjwatson@debian.org> | 2011-07-28 14:32:20 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2011-07-28 14:32:20 +0100 |
commit | 7a15b74572af22c2642ce0b125a90f35a92a10b4 (patch) | |
tree | 5a93c65cbc21e3657703863169a17390da156e6b | |
parent | b231e29fdc2c76309619e2fbc45e5779df4fe147 (diff) |
Quieten logs when multiple from= restrictions are used in different
authorized_keys lines for the same key; it's still not ideal, but at
least you'll only get one log entry per key (closes: #630606).
-rw-r--r-- | auth-options.c | 35 | ||||
-rw-r--r-- | auth-options.h | 1 | ||||
-rw-r--r-- | auth-rsa.c | 2 | ||||
-rw-r--r-- | auth2-pubkey.c | 4 | ||||
-rw-r--r-- | debian/changelog | 3 | ||||
-rw-r--r-- | debian/patches/auth-log-verbosity.patch | 123 | ||||
-rw-r--r-- | debian/patches/series | 1 |
7 files changed, 160 insertions, 9 deletions
diff --git a/auth-options.c b/auth-options.c index eae45cf2b..8d1ef0a18 100644 --- a/auth-options.c +++ b/auth-options.c | |||
@@ -58,9 +58,20 @@ int forced_tun_device = -1; | |||
58 | /* "principals=" option. */ | 58 | /* "principals=" option. */ |
59 | char *authorized_principals = NULL; | 59 | char *authorized_principals = NULL; |
60 | 60 | ||
61 | /* Throttle log messages. */ | ||
62 | int logged_from_hostip = 0; | ||
63 | int logged_cert_hostip = 0; | ||
64 | |||
61 | extern ServerOptions options; | 65 | extern ServerOptions options; |
62 | 66 | ||
63 | void | 67 | void |
68 | auth_start_parse_options(void) | ||
69 | { | ||
70 | logged_from_hostip = 0; | ||
71 | logged_cert_hostip = 0; | ||
72 | } | ||
73 | |||
74 | void | ||
64 | auth_clear_options(void) | 75 | auth_clear_options(void) |
65 | { | 76 | { |
66 | no_agent_forwarding_flag = 0; | 77 | no_agent_forwarding_flag = 0; |
@@ -288,10 +299,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
288 | /* FALLTHROUGH */ | 299 | /* FALLTHROUGH */ |
289 | case 0: | 300 | case 0: |
290 | xfree(patterns); | 301 | xfree(patterns); |
291 | logit("Authentication tried for %.100s with " | 302 | if (!logged_from_hostip) { |
292 | "correct key but not from a permitted " | 303 | logit("Authentication tried for %.100s with " |
293 | "host (host=%.200s, ip=%.200s).", | 304 | "correct key but not from a permitted " |
294 | pw->pw_name, remote_host, remote_ip); | 305 | "host (host=%.200s, ip=%.200s).", |
306 | pw->pw_name, remote_host, remote_ip); | ||
307 | logged_from_hostip = 1; | ||
308 | } | ||
295 | auth_debug_add("Your host '%.200s' is not " | 309 | auth_debug_add("Your host '%.200s' is not " |
296 | "permitted to use this key for login.", | 310 | "permitted to use this key for login.", |
297 | remote_host); | 311 | remote_host); |
@@ -526,11 +540,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, | |||
526 | break; | 540 | break; |
527 | case 0: | 541 | case 0: |
528 | /* no match */ | 542 | /* no match */ |
529 | logit("Authentication tried for %.100s " | 543 | if (!logged_cert_hostip) { |
530 | "with valid certificate but not " | 544 | logit("Authentication tried for %.100s " |
531 | "from a permitted host " | 545 | "with valid certificate but not " |
532 | "(ip=%.200s).", pw->pw_name, | 546 | "from a permitted host " |
533 | remote_ip); | 547 | "(ip=%.200s).", pw->pw_name, |
548 | remote_ip); | ||
549 | logged_cert_hostip = 1; | ||
550 | } | ||
534 | auth_debug_add("Your address '%.200s' " | 551 | auth_debug_add("Your address '%.200s' " |
535 | "is not permitted to use this " | 552 | "is not permitted to use this " |
536 | "certificate for login.", | 553 | "certificate for login.", |
diff --git a/auth-options.h b/auth-options.h index 7455c9454..a3f0a02da 100644 --- a/auth-options.h +++ b/auth-options.h | |||
@@ -33,6 +33,7 @@ extern int forced_tun_device; | |||
33 | extern int key_is_cert_authority; | 33 | extern int key_is_cert_authority; |
34 | extern char *authorized_principals; | 34 | extern char *authorized_principals; |
35 | 35 | ||
36 | void auth_start_parse_options(void); | ||
36 | int auth_parse_options(struct passwd *, char *, char *, u_long); | 37 | int auth_parse_options(struct passwd *, char *, char *, u_long); |
37 | void auth_clear_options(void); | 38 | void auth_clear_options(void); |
38 | int auth_cert_options(Key *, struct passwd *); | 39 | int auth_cert_options(Key *, struct passwd *); |
diff --git a/auth-rsa.c b/auth-rsa.c index 323e875b8..ec32c803f 100644 --- a/auth-rsa.c +++ b/auth-rsa.c | |||
@@ -193,6 +193,8 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) | |||
193 | 193 | ||
194 | key = key_new(KEY_RSA1); | 194 | key = key_new(KEY_RSA1); |
195 | 195 | ||
196 | auth_start_parse_options(); | ||
197 | |||
196 | /* | 198 | /* |
197 | * Go though the accepted keys, looking for the current key. If | 199 | * Go though the accepted keys, looking for the current key. If |
198 | * found, perform a challenge-response dialog to verify that the | 200 | * found, perform a challenge-response dialog to verify that the |
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 62a553612..dbf0d0d22 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -211,6 +211,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert) | |||
211 | restore_uid(); | 211 | restore_uid(); |
212 | return 0; | 212 | return 0; |
213 | } | 213 | } |
214 | auth_start_parse_options(); | ||
214 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 215 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
215 | /* Skip leading whitespace. */ | 216 | /* Skip leading whitespace. */ |
216 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) | 217 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) |
@@ -280,6 +281,8 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) | |||
280 | found_key = 0; | 281 | found_key = 0; |
281 | found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); | 282 | found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); |
282 | 283 | ||
284 | auth_start_parse_options(); | ||
285 | |||
283 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 286 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
284 | char *cp, *key_options = NULL; | 287 | char *cp, *key_options = NULL; |
285 | 288 | ||
@@ -416,6 +419,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) | |||
416 | if (key_cert_check_authority(key, 0, 1, | 419 | if (key_cert_check_authority(key, 0, 1, |
417 | principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) | 420 | principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) |
418 | goto fail_reason; | 421 | goto fail_reason; |
422 | auth_start_parse_options(); | ||
419 | if (auth_cert_options(key, pw) != 0) | 423 | if (auth_cert_options(key, pw) != 0) |
420 | goto out; | 424 | goto out; |
421 | 425 | ||
diff --git a/debian/changelog b/debian/changelog index 8d48ee108..3fd5cf016 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,6 +1,9 @@ | |||
1 | openssh (1:5.8p1-6) UNRELEASED; urgency=low | 1 | openssh (1:5.8p1-6) UNRELEASED; urgency=low |
2 | 2 | ||
3 | * openssh-client and openssh-server Suggests: monkeysphere. | 3 | * openssh-client and openssh-server Suggests: monkeysphere. |
4 | * Quieten logs when multiple from= restrictions are used in different | ||
5 | authorized_keys lines for the same key; it's still not ideal, but at | ||
6 | least you'll only get one log entry per key (closes: #630606). | ||
4 | 7 | ||
5 | -- Colin Watson <cjwatson@debian.org> Thu, 28 Jul 2011 11:57:27 +0100 | 8 | -- Colin Watson <cjwatson@debian.org> Thu, 28 Jul 2011 11:57:27 +0100 |
6 | 9 | ||
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch new file mode 100644 index 000000000..7aea6690d --- /dev/null +++ b/debian/patches/auth-log-verbosity.patch | |||
@@ -0,0 +1,123 @@ | |||
1 | Description: Quieten logs when multiple from= restrictions are used | ||
2 | Author: Colin Watson <cjwatson@debian.org> | ||
3 | Bug-Debian: http://bugs.debian.org/630606 | ||
4 | Forwarded: no | ||
5 | Last-Update: 2011-07-28 | ||
6 | |||
7 | Index: b/auth-options.c | ||
8 | =================================================================== | ||
9 | --- a/auth-options.c | ||
10 | +++ b/auth-options.c | ||
11 | @@ -58,9 +58,20 @@ | ||
12 | /* "principals=" option. */ | ||
13 | char *authorized_principals = NULL; | ||
14 | |||
15 | +/* Throttle log messages. */ | ||
16 | +int logged_from_hostip = 0; | ||
17 | +int logged_cert_hostip = 0; | ||
18 | + | ||
19 | extern ServerOptions options; | ||
20 | |||
21 | void | ||
22 | +auth_start_parse_options(void) | ||
23 | +{ | ||
24 | + logged_from_hostip = 0; | ||
25 | + logged_cert_hostip = 0; | ||
26 | +} | ||
27 | + | ||
28 | +void | ||
29 | auth_clear_options(void) | ||
30 | { | ||
31 | no_agent_forwarding_flag = 0; | ||
32 | @@ -288,10 +299,13 @@ | ||
33 | /* FALLTHROUGH */ | ||
34 | case 0: | ||
35 | xfree(patterns); | ||
36 | - logit("Authentication tried for %.100s with " | ||
37 | - "correct key but not from a permitted " | ||
38 | - "host (host=%.200s, ip=%.200s).", | ||
39 | - pw->pw_name, remote_host, remote_ip); | ||
40 | + if (!logged_from_hostip) { | ||
41 | + logit("Authentication tried for %.100s with " | ||
42 | + "correct key but not from a permitted " | ||
43 | + "host (host=%.200s, ip=%.200s).", | ||
44 | + pw->pw_name, remote_host, remote_ip); | ||
45 | + logged_from_hostip = 1; | ||
46 | + } | ||
47 | auth_debug_add("Your host '%.200s' is not " | ||
48 | "permitted to use this key for login.", | ||
49 | remote_host); | ||
50 | @@ -526,11 +540,14 @@ | ||
51 | break; | ||
52 | case 0: | ||
53 | /* no match */ | ||
54 | - logit("Authentication tried for %.100s " | ||
55 | - "with valid certificate but not " | ||
56 | - "from a permitted host " | ||
57 | - "(ip=%.200s).", pw->pw_name, | ||
58 | - remote_ip); | ||
59 | + if (!logged_cert_hostip) { | ||
60 | + logit("Authentication tried for %.100s " | ||
61 | + "with valid certificate but not " | ||
62 | + "from a permitted host " | ||
63 | + "(ip=%.200s).", pw->pw_name, | ||
64 | + remote_ip); | ||
65 | + logged_cert_hostip = 1; | ||
66 | + } | ||
67 | auth_debug_add("Your address '%.200s' " | ||
68 | "is not permitted to use this " | ||
69 | "certificate for login.", | ||
70 | Index: b/auth-options.h | ||
71 | =================================================================== | ||
72 | --- a/auth-options.h | ||
73 | +++ b/auth-options.h | ||
74 | @@ -33,6 +33,7 @@ | ||
75 | extern int key_is_cert_authority; | ||
76 | extern char *authorized_principals; | ||
77 | |||
78 | +void auth_start_parse_options(void); | ||
79 | int auth_parse_options(struct passwd *, char *, char *, u_long); | ||
80 | void auth_clear_options(void); | ||
81 | int auth_cert_options(Key *, struct passwd *); | ||
82 | Index: b/auth-rsa.c | ||
83 | =================================================================== | ||
84 | --- a/auth-rsa.c | ||
85 | +++ b/auth-rsa.c | ||
86 | @@ -193,6 +193,8 @@ | ||
87 | |||
88 | key = key_new(KEY_RSA1); | ||
89 | |||
90 | + auth_start_parse_options(); | ||
91 | + | ||
92 | /* | ||
93 | * Go though the accepted keys, looking for the current key. If | ||
94 | * found, perform a challenge-response dialog to verify that the | ||
95 | Index: b/auth2-pubkey.c | ||
96 | =================================================================== | ||
97 | --- a/auth2-pubkey.c | ||
98 | +++ b/auth2-pubkey.c | ||
99 | @@ -211,6 +211,7 @@ | ||
100 | restore_uid(); | ||
101 | return 0; | ||
102 | } | ||
103 | + auth_start_parse_options(); | ||
104 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | ||
105 | /* Skip leading whitespace. */ | ||
106 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) | ||
107 | @@ -280,6 +281,8 @@ | ||
108 | found_key = 0; | ||
109 | found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); | ||
110 | |||
111 | + auth_start_parse_options(); | ||
112 | + | ||
113 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | ||
114 | char *cp, *key_options = NULL; | ||
115 | |||
116 | @@ -416,6 +419,7 @@ | ||
117 | if (key_cert_check_authority(key, 0, 1, | ||
118 | principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) | ||
119 | goto fail_reason; | ||
120 | + auth_start_parse_options(); | ||
121 | if (auth_cert_options(key, pw) != 0) | ||
122 | goto out; | ||
123 | |||
diff --git a/debian/patches/series b/debian/patches/series index 01ef70076..3450e4c55 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -40,6 +40,7 @@ doc-hash-tab-completion.patch | |||
40 | selinux-build-failure.patch | 40 | selinux-build-failure.patch |
41 | ssh-add-fifo.patch | 41 | ssh-add-fifo.patch |
42 | hostbased-ecdsa.patch | 42 | hostbased-ecdsa.patch |
43 | auth-log-verbosity.patch | ||
43 | 44 | ||
44 | # Debian-specific configuration | 45 | # Debian-specific configuration |
45 | gnome-ssh-askpass2-icon.patch | 46 | gnome-ssh-askpass2-icon.patch |