summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:10:02 +0000
committerColin Watson <cjwatson@debian.org>2014-10-07 14:27:21 +0100
commit1ecd5db58295874d8b9a7ce98fe1880ab08fbcaf (patch)
treec9fd95652b6613e71ce2571b4a010691e2a34f50
parent4ac9937c1d9f1901ab0694114d76e59a138aae96 (diff)
Quieten logs when multiple from= restrictions are used
Bug-Debian: http://bugs.debian.org/630606 Forwarded: no Last-Update: 2013-09-14 Patch-Name: auth-log-verbosity.patch
Diffstat
-rw-r--r--auth-options.c35
-rw-r--r--auth-options.h1
-rw-r--r--auth-rsa.c2
-rw-r--r--auth2-pubkey.c3
4 files changed, 32 insertions, 9 deletions
diff --git a/auth-options.c b/auth-options.c
index f3d9c9df8..d4d22d7a5 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -54,9 +54,20 @@ int forced_tun_device = -1;
54/* "principals=" option. */ 54/* "principals=" option. */
55char *authorized_principals = NULL; 55char *authorized_principals = NULL;
56 56
57/* Throttle log messages. */
58int logged_from_hostip = 0;
59int logged_cert_hostip = 0;
60
57extern ServerOptions options; 61extern ServerOptions options;
58 62
59void 63void
64auth_start_parse_options(void)
65{
66 logged_from_hostip = 0;
67 logged_cert_hostip = 0;
68}
69
70void
60auth_clear_options(void) 71auth_clear_options(void)
61{ 72{
62 no_agent_forwarding_flag = 0; 73 no_agent_forwarding_flag = 0;
@@ -284,10 +295,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
284 /* FALLTHROUGH */ 295 /* FALLTHROUGH */
285 case 0: 296 case 0:
286 free(patterns); 297 free(patterns);
287 logit("Authentication tried for %.100s with " 298 if (!logged_from_hostip) {
288 "correct key but not from a permitted " 299 logit("Authentication tried for %.100s with "
289 "host (host=%.200s, ip=%.200s).", 300 "correct key but not from a permitted "
290 pw->pw_name, remote_host, remote_ip); 301 "host (host=%.200s, ip=%.200s).",
302 pw->pw_name, remote_host, remote_ip);
303 logged_from_hostip = 1;
304 }
291 auth_debug_add("Your host '%.200s' is not " 305 auth_debug_add("Your host '%.200s' is not "
292 "permitted to use this key for login.", 306 "permitted to use this key for login.",
293 remote_host); 307 remote_host);
@@ -511,11 +525,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
511 break; 525 break;
512 case 0: 526 case 0:
513 /* no match */ 527 /* no match */
514 logit("Authentication tried for %.100s " 528 if (!logged_cert_hostip) {
515 "with valid certificate but not " 529 logit("Authentication tried for %.100s "
516 "from a permitted host " 530 "with valid certificate but not "
517 "(ip=%.200s).", pw->pw_name, 531 "from a permitted host "
518 remote_ip); 532 "(ip=%.200s).", pw->pw_name,
533 remote_ip);
534 logged_cert_hostip = 1;
535 }
519 auth_debug_add("Your address '%.200s' " 536 auth_debug_add("Your address '%.200s' "
520 "is not permitted to use this " 537 "is not permitted to use this "
521 "certificate for login.", 538 "certificate for login.",
diff --git a/auth-options.h b/auth-options.h
index 7455c9454..a3f0a02da 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -33,6 +33,7 @@ extern int forced_tun_device;
33extern int key_is_cert_authority; 33extern int key_is_cert_authority;
34extern char *authorized_principals; 34extern char *authorized_principals;
35 35
36void auth_start_parse_options(void);
36int auth_parse_options(struct passwd *, char *, char *, u_long); 37int auth_parse_options(struct passwd *, char *, char *, u_long);
37void auth_clear_options(void); 38void auth_clear_options(void);
38int auth_cert_options(Key *, struct passwd *); 39int auth_cert_options(Key *, struct passwd *);
diff --git a/auth-rsa.c b/auth-rsa.c
index e9f4ede26..5d7bdcbfc 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -179,6 +179,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
179 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) 179 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
180 return 0; 180 return 0;
181 181
182 auth_start_parse_options();
183
182 /* 184 /*
183 * Go though the accepted keys, looking for the current key. If 185 * Go though the accepted keys, looking for the current key. If
184 * found, perform a challenge-response dialog to verify that the 186 * found, perform a challenge-response dialog to verify that the
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index f3ca96592..f78b046b8 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -263,6 +263,7 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert)
263 restore_uid(); 263 restore_uid();
264 return 0; 264 return 0;
265 } 265 }
266 auth_start_parse_options();
266 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 267 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
267 /* Skip leading whitespace. */ 268 /* Skip leading whitespace. */
268 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 269 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@@ -324,6 +325,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
324 found_key = 0; 325 found_key = 0;
325 326
326 found = NULL; 327 found = NULL;
328 auth_start_parse_options();
327 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 329 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
328 char *cp, *key_options = NULL; 330 char *cp, *key_options = NULL;
329 if (found != NULL) 331 if (found != NULL)
@@ -459,6 +461,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
459 if (key_cert_check_authority(key, 0, 1, 461 if (key_cert_check_authority(key, 0, 1,
460 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) 462 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
461 goto fail_reason; 463 goto fail_reason;
464 auth_start_parse_options();
462 if (auth_cert_options(key, pw) != 0) 465 if (auth_cert_options(key, pw) != 0)
463 goto out; 466 goto out;
464 467
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-08 00:28:01 +0000