diff options
author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:02 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2015-08-19 16:33:32 +0100 |
commit | c9c2ebb4680ea6872218b1e4519fe31a2043a27a (patch) | |
tree | c69410030e0bdf2684c6ed17b46b42f54f9aca77 | |
parent | 5cbcc7353649b84b5a7528e583458ee9473fd527 (diff) |
Quieten logs when multiple from= restrictions are used
Bug-Debian: http://bugs.debian.org/630606
Forwarded: no
Last-Update: 2013-09-14
Patch-Name: auth-log-verbosity.patch
-rw-r--r-- | auth-options.c | 35 | ||||
-rw-r--r-- | auth-options.h | 1 | ||||
-rw-r--r-- | auth-rsa.c | 2 | ||||
-rw-r--r-- | auth2-pubkey.c | 3 |
4 files changed, 32 insertions, 9 deletions
diff --git a/auth-options.c b/auth-options.c index 4f0da9c04..3fa236eb8 100644 --- a/auth-options.c +++ b/auth-options.c | |||
@@ -58,9 +58,20 @@ int forced_tun_device = -1; | |||
58 | /* "principals=" option. */ | 58 | /* "principals=" option. */ |
59 | char *authorized_principals = NULL; | 59 | char *authorized_principals = NULL; |
60 | 60 | ||
61 | /* Throttle log messages. */ | ||
62 | int logged_from_hostip = 0; | ||
63 | int logged_cert_hostip = 0; | ||
64 | |||
61 | extern ServerOptions options; | 65 | extern ServerOptions options; |
62 | 66 | ||
63 | void | 67 | void |
68 | auth_start_parse_options(void) | ||
69 | { | ||
70 | logged_from_hostip = 0; | ||
71 | logged_cert_hostip = 0; | ||
72 | } | ||
73 | |||
74 | void | ||
64 | auth_clear_options(void) | 75 | auth_clear_options(void) |
65 | { | 76 | { |
66 | no_agent_forwarding_flag = 0; | 77 | no_agent_forwarding_flag = 0; |
@@ -288,10 +299,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
288 | /* FALLTHROUGH */ | 299 | /* FALLTHROUGH */ |
289 | case 0: | 300 | case 0: |
290 | free(patterns); | 301 | free(patterns); |
291 | logit("Authentication tried for %.100s with " | 302 | if (!logged_from_hostip) { |
292 | "correct key but not from a permitted " | 303 | logit("Authentication tried for %.100s with " |
293 | "host (host=%.200s, ip=%.200s).", | 304 | "correct key but not from a permitted " |
294 | pw->pw_name, remote_host, remote_ip); | 305 | "host (host=%.200s, ip=%.200s).", |
306 | pw->pw_name, remote_host, remote_ip); | ||
307 | logged_from_hostip = 1; | ||
308 | } | ||
295 | auth_debug_add("Your host '%.200s' is not " | 309 | auth_debug_add("Your host '%.200s' is not " |
296 | "permitted to use this key for login.", | 310 | "permitted to use this key for login.", |
297 | remote_host); | 311 | remote_host); |
@@ -514,11 +528,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, | |||
514 | break; | 528 | break; |
515 | case 0: | 529 | case 0: |
516 | /* no match */ | 530 | /* no match */ |
517 | logit("Authentication tried for %.100s " | 531 | if (!logged_cert_hostip) { |
518 | "with valid certificate but not " | 532 | logit("Authentication tried for %.100s " |
519 | "from a permitted host " | 533 | "with valid certificate but not " |
520 | "(ip=%.200s).", pw->pw_name, | 534 | "from a permitted host " |
521 | remote_ip); | 535 | "(ip=%.200s).", pw->pw_name, |
536 | remote_ip); | ||
537 | logged_cert_hostip = 1; | ||
538 | } | ||
522 | auth_debug_add("Your address '%.200s' " | 539 | auth_debug_add("Your address '%.200s' " |
523 | "is not permitted to use this " | 540 | "is not permitted to use this " |
524 | "certificate for login.", | 541 | "certificate for login.", |
diff --git a/auth-options.h b/auth-options.h index 34852e5c0..1653855ee 100644 --- a/auth-options.h +++ b/auth-options.h | |||
@@ -33,6 +33,7 @@ extern int forced_tun_device; | |||
33 | extern int key_is_cert_authority; | 33 | extern int key_is_cert_authority; |
34 | extern char *authorized_principals; | 34 | extern char *authorized_principals; |
35 | 35 | ||
36 | void auth_start_parse_options(void); | ||
36 | int auth_parse_options(struct passwd *, char *, char *, u_long); | 37 | int auth_parse_options(struct passwd *, char *, char *, u_long); |
37 | void auth_clear_options(void); | 38 | void auth_clear_options(void); |
38 | int auth_cert_options(struct sshkey *, struct passwd *); | 39 | int auth_cert_options(struct sshkey *, struct passwd *); |
diff --git a/auth-rsa.c b/auth-rsa.c index cbd971be1..4cf2163c7 100644 --- a/auth-rsa.c +++ b/auth-rsa.c | |||
@@ -181,6 +181,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, | |||
181 | if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) | 181 | if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) |
182 | return 0; | 182 | return 0; |
183 | 183 | ||
184 | auth_start_parse_options(); | ||
185 | |||
184 | /* | 186 | /* |
185 | * Go though the accepted keys, looking for the current key. If | 187 | * Go though the accepted keys, looking for the current key. If |
186 | * found, perform a challenge-response dialog to verify that the | 188 | * found, perform a challenge-response dialog to verify that the |
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index d943efa1e..0bda5c9dd 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -282,6 +282,7 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert) | |||
282 | restore_uid(); | 282 | restore_uid(); |
283 | return 0; | 283 | return 0; |
284 | } | 284 | } |
285 | auth_start_parse_options(); | ||
285 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 286 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
286 | /* Skip leading whitespace. */ | 287 | /* Skip leading whitespace. */ |
287 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) | 288 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) |
@@ -343,6 +344,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) | |||
343 | found_key = 0; | 344 | found_key = 0; |
344 | 345 | ||
345 | found = NULL; | 346 | found = NULL; |
347 | auth_start_parse_options(); | ||
346 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 348 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
347 | char *cp, *key_options = NULL; | 349 | char *cp, *key_options = NULL; |
348 | if (found != NULL) | 350 | if (found != NULL) |
@@ -482,6 +484,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) | |||
482 | if (key_cert_check_authority(key, 0, 1, | 484 | if (key_cert_check_authority(key, 0, 1, |
483 | principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) | 485 | principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) |
484 | goto fail_reason; | 486 | goto fail_reason; |
487 | auth_start_parse_options(); | ||
485 | if (auth_cert_options(key, pw) != 0) | 488 | if (auth_cert_options(key, pw) != 0) |
486 | goto out; | 489 | goto out; |
487 | 490 | ||