summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:10:02 +0000
committerColin Watson <cjwatson@debian.org>2016-03-10 13:00:40 +0000
commit33f7235ca187f62f44734c6caca95e54c3cf7232 (patch)
treef05189c752bcf72887bc159cc37eae1bac25a6eb
parent9c255ad5c677682eb99e1d45dbd5328cef732036 (diff)
Quieten logs when multiple from= restrictions are used
Bug-Debian: http://bugs.debian.org/630606 Forwarded: no Last-Update: 2013-09-14 Patch-Name: auth-log-verbosity.patch
-rw-r--r--auth-options.c35
-rw-r--r--auth-options.h1
-rw-r--r--auth-rsa.c2
-rw-r--r--auth2-pubkey.c3
4 files changed, 32 insertions, 9 deletions
diff --git a/auth-options.c b/auth-options.c
index edbaf80bb..bda39df4e 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -58,9 +58,20 @@ int forced_tun_device = -1;
58/* "principals=" option. */ 58/* "principals=" option. */
59char *authorized_principals = NULL; 59char *authorized_principals = NULL;
60 60
61/* Throttle log messages. */
62int logged_from_hostip = 0;
63int logged_cert_hostip = 0;
64
61extern ServerOptions options; 65extern ServerOptions options;
62 66
63void 67void
68auth_start_parse_options(void)
69{
70 logged_from_hostip = 0;
71 logged_cert_hostip = 0;
72}
73
74void
64auth_clear_options(void) 75auth_clear_options(void)
65{ 76{
66 no_agent_forwarding_flag = 0; 77 no_agent_forwarding_flag = 0;
@@ -314,10 +325,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
314 /* FALLTHROUGH */ 325 /* FALLTHROUGH */
315 case 0: 326 case 0:
316 free(patterns); 327 free(patterns);
317 logit("Authentication tried for %.100s with " 328 if (!logged_from_hostip) {
318 "correct key but not from a permitted " 329 logit("Authentication tried for %.100s with "
319 "host (host=%.200s, ip=%.200s).", 330 "correct key but not from a permitted "
320 pw->pw_name, remote_host, remote_ip); 331 "host (host=%.200s, ip=%.200s).",
332 pw->pw_name, remote_host, remote_ip);
333 logged_from_hostip = 1;
334 }
321 auth_debug_add("Your host '%.200s' is not " 335 auth_debug_add("Your host '%.200s' is not "
322 "permitted to use this key for login.", 336 "permitted to use this key for login.",
323 remote_host); 337 remote_host);
@@ -540,11 +554,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
540 break; 554 break;
541 case 0: 555 case 0:
542 /* no match */ 556 /* no match */
543 logit("Authentication tried for %.100s " 557 if (!logged_cert_hostip) {
544 "with valid certificate but not " 558 logit("Authentication tried for %.100s "
545 "from a permitted host " 559 "with valid certificate but not "
546 "(ip=%.200s).", pw->pw_name, 560 "from a permitted host "
547 remote_ip); 561 "(ip=%.200s).", pw->pw_name,
562 remote_ip);
563 logged_cert_hostip = 1;
564 }
548 auth_debug_add("Your address '%.200s' " 565 auth_debug_add("Your address '%.200s' "
549 "is not permitted to use this " 566 "is not permitted to use this "
550 "certificate for login.", 567 "certificate for login.",
diff --git a/auth-options.h b/auth-options.h
index 34852e5c0..1653855ee 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -33,6 +33,7 @@ extern int forced_tun_device;
33extern int key_is_cert_authority; 33extern int key_is_cert_authority;
34extern char *authorized_principals; 34extern char *authorized_principals;
35 35
36void auth_start_parse_options(void);
36int auth_parse_options(struct passwd *, char *, char *, u_long); 37int auth_parse_options(struct passwd *, char *, char *, u_long);
37void auth_clear_options(void); 38void auth_clear_options(void);
38int auth_cert_options(struct sshkey *, struct passwd *); 39int auth_cert_options(struct sshkey *, struct passwd *);
diff --git a/auth-rsa.c b/auth-rsa.c
index cbd971be1..4cf2163c7 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -181,6 +181,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
181 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) 181 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
182 return 0; 182 return 0;
183 183
184 auth_start_parse_options();
185
184 /* 186 /*
185 * Go though the accepted keys, looking for the current key. If 187 * Go though the accepted keys, looking for the current key. If
186 * found, perform a challenge-response dialog to verify that the 188 * found, perform a challenge-response dialog to verify that the
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 41b34aed2..aace7ca15 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -566,6 +566,7 @@ process_principals(FILE *f, char *file, struct passwd *pw,
566 u_long linenum = 0; 566 u_long linenum = 0;
567 u_int i; 567 u_int i;
568 568
569 auth_start_parse_options();
569 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 570 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
570 /* Skip leading whitespace. */ 571 /* Skip leading whitespace. */
571 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 572 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@@ -731,6 +732,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
731 found_key = 0; 732 found_key = 0;
732 733
733 found = NULL; 734 found = NULL;
735 auth_start_parse_options();
734 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 736 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
735 char *cp, *key_options = NULL; 737 char *cp, *key_options = NULL;
736 if (found != NULL) 738 if (found != NULL)
@@ -878,6 +880,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
878 if (key_cert_check_authority(key, 0, 1, 880 if (key_cert_check_authority(key, 0, 1,
879 use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) 881 use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
880 goto fail_reason; 882 goto fail_reason;
883 auth_start_parse_options();
881 if (auth_cert_options(key, pw) != 0) 884 if (auth_cert_options(key, pw) != 0)
882 goto out; 885 goto out;
883 886