diff options
| author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:02 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2016-01-04 13:43:53 +0000 |
| commit | b7921aa4a2b83b247ca13651d061ab2eaa527f65 (patch) | |
| tree | 65d502dc176fde9f1977d114d0be01ce051191c8 | |
| parent | 05e44a7f55ca499d7e7f433152e066b256a1bb79 (diff) | |
Quieten logs when multiple from= restrictions are used
Bug-Debian: http://bugs.debian.org/630606
Forwarded: no
Last-Update: 2013-09-14
Patch-Name: auth-log-verbosity.patch
| -rw-r--r-- | auth-options.c | 35 | ||||
| -rw-r--r-- | auth-options.h | 1 | ||||
| -rw-r--r-- | auth-rsa.c | 2 | ||||
| -rw-r--r-- | auth2-pubkey.c | 3 |
4 files changed, 32 insertions, 9 deletions
diff --git a/auth-options.c b/auth-options.c index e387697d3..f1e3ddfdf 100644 --- a/auth-options.c +++ b/auth-options.c | |||
| @@ -58,9 +58,20 @@ int forced_tun_device = -1; | |||
| 58 | /* "principals=" option. */ | 58 | /* "principals=" option. */ |
| 59 | char *authorized_principals = NULL; | 59 | char *authorized_principals = NULL; |
| 60 | 60 | ||
| 61 | /* Throttle log messages. */ | ||
| 62 | int logged_from_hostip = 0; | ||
| 63 | int logged_cert_hostip = 0; | ||
| 64 | |||
| 61 | extern ServerOptions options; | 65 | extern ServerOptions options; |
| 62 | 66 | ||
| 63 | void | 67 | void |
| 68 | auth_start_parse_options(void) | ||
| 69 | { | ||
| 70 | logged_from_hostip = 0; | ||
| 71 | logged_cert_hostip = 0; | ||
| 72 | } | ||
| 73 | |||
| 74 | void | ||
| 64 | auth_clear_options(void) | 75 | auth_clear_options(void) |
| 65 | { | 76 | { |
| 66 | no_agent_forwarding_flag = 0; | 77 | no_agent_forwarding_flag = 0; |
| @@ -293,10 +304,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
| 293 | /* FALLTHROUGH */ | 304 | /* FALLTHROUGH */ |
| 294 | case 0: | 305 | case 0: |
| 295 | free(patterns); | 306 | free(patterns); |
| 296 | logit("Authentication tried for %.100s with " | 307 | if (!logged_from_hostip) { |
| 297 | "correct key but not from a permitted " | 308 | logit("Authentication tried for %.100s with " |
| 298 | "host (host=%.200s, ip=%.200s).", | 309 | "correct key but not from a permitted " |
| 299 | pw->pw_name, remote_host, remote_ip); | 310 | "host (host=%.200s, ip=%.200s).", |
| 311 | pw->pw_name, remote_host, remote_ip); | ||
| 312 | logged_from_hostip = 1; | ||
| 313 | } | ||
| 300 | auth_debug_add("Your host '%.200s' is not " | 314 | auth_debug_add("Your host '%.200s' is not " |
| 301 | "permitted to use this key for login.", | 315 | "permitted to use this key for login.", |
| 302 | remote_host); | 316 | remote_host); |
| @@ -519,11 +533,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, | |||
| 519 | break; | 533 | break; |
| 520 | case 0: | 534 | case 0: |
| 521 | /* no match */ | 535 | /* no match */ |
| 522 | logit("Authentication tried for %.100s " | 536 | if (!logged_cert_hostip) { |
| 523 | "with valid certificate but not " | 537 | logit("Authentication tried for %.100s " |
| 524 | "from a permitted host " | 538 | "with valid certificate but not " |
| 525 | "(ip=%.200s).", pw->pw_name, | 539 | "from a permitted host " |
| 526 | remote_ip); | 540 | "(ip=%.200s).", pw->pw_name, |
| 541 | remote_ip); | ||
| 542 | logged_cert_hostip = 1; | ||
| 543 | } | ||
| 527 | auth_debug_add("Your address '%.200s' " | 544 | auth_debug_add("Your address '%.200s' " |
| 528 | "is not permitted to use this " | 545 | "is not permitted to use this " |
| 529 | "certificate for login.", | 546 | "certificate for login.", |
diff --git a/auth-options.h b/auth-options.h index 34852e5c0..1653855ee 100644 --- a/auth-options.h +++ b/auth-options.h | |||
| @@ -33,6 +33,7 @@ extern int forced_tun_device; | |||
| 33 | extern int key_is_cert_authority; | 33 | extern int key_is_cert_authority; |
| 34 | extern char *authorized_principals; | 34 | extern char *authorized_principals; |
| 35 | 35 | ||
| 36 | void auth_start_parse_options(void); | ||
| 36 | int auth_parse_options(struct passwd *, char *, char *, u_long); | 37 | int auth_parse_options(struct passwd *, char *, char *, u_long); |
| 37 | void auth_clear_options(void); | 38 | void auth_clear_options(void); |
| 38 | int auth_cert_options(struct sshkey *, struct passwd *); | 39 | int auth_cert_options(struct sshkey *, struct passwd *); |
diff --git a/auth-rsa.c b/auth-rsa.c index cbd971be1..4cf2163c7 100644 --- a/auth-rsa.c +++ b/auth-rsa.c | |||
| @@ -181,6 +181,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, | |||
| 181 | if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) | 181 | if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) |
| 182 | return 0; | 182 | return 0; |
| 183 | 183 | ||
| 184 | auth_start_parse_options(); | ||
| 185 | |||
| 184 | /* | 186 | /* |
| 185 | * Go though the accepted keys, looking for the current key. If | 187 | * Go though the accepted keys, looking for the current key. If |
| 186 | * found, perform a challenge-response dialog to verify that the | 188 | * found, perform a challenge-response dialog to verify that the |
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 5aa319ccc..1eee16168 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
| @@ -561,6 +561,7 @@ process_principals(FILE *f, char *file, struct passwd *pw, | |||
| 561 | u_long linenum = 0; | 561 | u_long linenum = 0; |
| 562 | u_int i; | 562 | u_int i; |
| 563 | 563 | ||
| 564 | auth_start_parse_options(); | ||
| 564 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 565 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
| 565 | /* Skip leading whitespace. */ | 566 | /* Skip leading whitespace. */ |
| 566 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) | 567 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) |
| @@ -726,6 +727,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) | |||
| 726 | found_key = 0; | 727 | found_key = 0; |
| 727 | 728 | ||
| 728 | found = NULL; | 729 | found = NULL; |
| 730 | auth_start_parse_options(); | ||
| 729 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 731 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
| 730 | char *cp, *key_options = NULL; | 732 | char *cp, *key_options = NULL; |
| 731 | if (found != NULL) | 733 | if (found != NULL) |
| @@ -872,6 +874,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) | |||
| 872 | if (key_cert_check_authority(key, 0, 1, | 874 | if (key_cert_check_authority(key, 0, 1, |
| 873 | use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) | 875 | use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) |
| 874 | goto fail_reason; | 876 | goto fail_reason; |
| 877 | auth_start_parse_options(); | ||
| 875 | if (auth_cert_options(key, pw) != 0) | 878 | if (auth_cert_options(key, pw) != 0) |
| 876 | goto out; | 879 | goto out; |
| 877 | 880 | ||