summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:10:02 +0000
committerColin Watson <cjwatson@debian.org>2014-02-10 02:40:16 +0000
commit493e37552aa05b38cf69b5f1bc4b717fd4a1a285 (patch)
tree55a5069fc3f592a2fc4d256af6e23303e73dc340
parenta3e8cef2bae563fe8c87cf9f32511a0808dd47eb (diff)
Quieten logs when multiple from= restrictions are used
Bug-Debian: http://bugs.debian.org/630606 Forwarded: no Last-Update: 2013-09-14 Patch-Name: auth-log-verbosity.patch
-rw-r--r--auth-options.c35
-rw-r--r--auth-options.h1
-rw-r--r--auth-rsa.c2
-rw-r--r--auth2-pubkey.c3
4 files changed, 32 insertions, 9 deletions
diff --git a/auth-options.c b/auth-options.c
index fa209eaab..df6133037 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -54,9 +54,20 @@ int forced_tun_device = -1;
54/* "principals=" option. */ 54/* "principals=" option. */
55char *authorized_principals = NULL; 55char *authorized_principals = NULL;
56 56
57/* Throttle log messages. */
58int logged_from_hostip = 0;
59int logged_cert_hostip = 0;
60
57extern ServerOptions options; 61extern ServerOptions options;
58 62
59void 63void
64auth_start_parse_options(void)
65{
66 logged_from_hostip = 0;
67 logged_cert_hostip = 0;
68}
69
70void
60auth_clear_options(void) 71auth_clear_options(void)
61{ 72{
62 no_agent_forwarding_flag = 0; 73 no_agent_forwarding_flag = 0;
@@ -284,10 +295,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
284 /* FALLTHROUGH */ 295 /* FALLTHROUGH */
285 case 0: 296 case 0:
286 free(patterns); 297 free(patterns);
287 logit("Authentication tried for %.100s with " 298 if (!logged_from_hostip) {
288 "correct key but not from a permitted " 299 logit("Authentication tried for %.100s with "
289 "host (host=%.200s, ip=%.200s).", 300 "correct key but not from a permitted "
290 pw->pw_name, remote_host, remote_ip); 301 "host (host=%.200s, ip=%.200s).",
302 pw->pw_name, remote_host, remote_ip);
303 logged_from_hostip = 1;
304 }
291 auth_debug_add("Your host '%.200s' is not " 305 auth_debug_add("Your host '%.200s' is not "
292 "permitted to use this key for login.", 306 "permitted to use this key for login.",
293 remote_host); 307 remote_host);
@@ -510,11 +524,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
510 break; 524 break;
511 case 0: 525 case 0:
512 /* no match */ 526 /* no match */
513 logit("Authentication tried for %.100s " 527 if (!logged_cert_hostip) {
514 "with valid certificate but not " 528 logit("Authentication tried for %.100s "
515 "from a permitted host " 529 "with valid certificate but not "
516 "(ip=%.200s).", pw->pw_name, 530 "from a permitted host "
517 remote_ip); 531 "(ip=%.200s).", pw->pw_name,
532 remote_ip);
533 logged_cert_hostip = 1;
534 }
518 auth_debug_add("Your address '%.200s' " 535 auth_debug_add("Your address '%.200s' "
519 "is not permitted to use this " 536 "is not permitted to use this "
520 "certificate for login.", 537 "certificate for login.",
diff --git a/auth-options.h b/auth-options.h
index 7455c9454..a3f0a02da 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -33,6 +33,7 @@ extern int forced_tun_device;
33extern int key_is_cert_authority; 33extern int key_is_cert_authority;
34extern char *authorized_principals; 34extern char *authorized_principals;
35 35
36void auth_start_parse_options(void);
36int auth_parse_options(struct passwd *, char *, char *, u_long); 37int auth_parse_options(struct passwd *, char *, char *, u_long);
37void auth_clear_options(void); 38void auth_clear_options(void);
38int auth_cert_options(Key *, struct passwd *); 39int auth_cert_options(Key *, struct passwd *);
diff --git a/auth-rsa.c b/auth-rsa.c
index 545aa496a..4624c1597 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -174,6 +174,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
174 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) 174 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
175 return 0; 175 return 0;
176 176
177 auth_start_parse_options();
178
177 /* 179 /*
178 * Go though the accepted keys, looking for the current key. If 180 * Go though the accepted keys, looking for the current key. If
179 * found, perform a challenge-response dialog to verify that the 181 * found, perform a challenge-response dialog to verify that the
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 0fd27bb92..7c5692750 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -263,6 +263,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
263 restore_uid(); 263 restore_uid();
264 return 0; 264 return 0;
265 } 265 }
266 auth_start_parse_options();
266 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 267 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
267 /* Skip leading whitespace. */ 268 /* Skip leading whitespace. */
268 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 269 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@@ -324,6 +325,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
324 found_key = 0; 325 found_key = 0;
325 326
326 found = NULL; 327 found = NULL;
328 auth_start_parse_options();
327 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 329 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
328 char *cp, *key_options = NULL; 330 char *cp, *key_options = NULL;
329 if (found != NULL) 331 if (found != NULL)
@@ -459,6 +461,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
459 if (key_cert_check_authority(key, 0, 1, 461 if (key_cert_check_authority(key, 0, 1,
460 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) 462 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
461 goto fail_reason; 463 goto fail_reason;
464 auth_start_parse_options();
462 if (auth_cert_options(key, pw) != 0) 465 if (auth_cert_options(key, pw) != 0)
463 goto out; 466 goto out;
464 467