Quieten logs when multiple from= restrictions are used

Bug-Debian: http://bugs.debian.org/630606 Forwarded: no Last-Update: 2013-09-14 Patch-Name: auth-log-verbosity.patch
author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:02 +0000
committer: Colin Watson <cjwatson@debian.org> 2017-03-29 01:39:47 +0100
commit: e08f96cf1105a3ee9a23de7102d593443e031e0c (patch)
tree: 9c93015f3103621c06f793f2b35e040c08355fd4
parent: 1e06dfb99d3a59ef0b0a804ed1c2a590b3fab71c (diff)
3 files changed, 30 insertions, 9 deletions
diff --git a/auth-options.c b/auth-options.c
index 57b49f7fd..7eb87b352 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -59,9 +59,20 @@ int forced_tun_device = -1;
 /* "principals=" option. */
 char *authorized_principals = NULL;
+/* Throttle log messages. */
+int logged_from_hostip = 0;
+int logged_cert_hostip = 0;
 extern ServerOptions options;
 void
+auth_start_parse_options(void)
+{
+        logged_from_hostip = 0;
+        logged_cert_hostip = 0;
+}
+void
 auth_clear_options(void)
 {
        no_agent_forwarding_flag = 0;
@@ -316,10 +327,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                                /* FALLTHROUGH */
                        case 0:
                                free(patterns);
-                                logit("Authentication tried for %.100s with "
+                                if (!logged_from_hostip) {
-                                    "correct key but not from a permitted "
+                                        logit("Authentication tried for %.100s with "
-                                    "host (host=%.200s, ip=%.200s).",
+                                            "correct key but not from a permitted "
-                                    pw->pw_name, remote_host, remote_ip);
+                                            "host (host=%.200s, ip=%.200s).",
+                                            pw->pw_name, remote_host, remote_ip);
+                                        logged_from_hostip = 1;
+                                }
                                auth_debug_add("Your host '%.200s' is not "
                                    "permitted to use this key for login.",
                                    remote_host);
@@ -543,11 +557,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
                                        break;
                                case 0:
                                        /* no match */
-                                        logit("Authentication tried for %.100s "
+                                        if (!logged_cert_hostip) {
-                                            "with valid certificate but not "
+                                                logit("Authentication tried for %.100s "
-                                            "from a permitted host "
+                                                    "with valid certificate but not "
-                                            "(ip=%.200s).", pw->pw_name,
+                                                    "from a permitted host "
-                                            remote_ip);
+                                                    "(ip=%.200s).", pw->pw_name,
+                                                    remote_ip);
+                                                logged_cert_hostip = 1;
+                                        }
                                        auth_debug_add("Your address '%.200s' "
                                            "is not permitted to use this "
                                            "certificate for login.",
diff --git a/auth-options.h b/auth-options.h
index 52cbb42aa..823552761 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -33,6 +33,7 @@ extern int forced_tun_device;
 extern int key_is_cert_authority;
 extern char *authorized_principals;
+void    auth_start_parse_options(void);
 int     auth_parse_options(struct passwd *, char *, char *, u_long);
 void    auth_clear_options(void);
 int     auth_cert_options(struct sshkey *, struct passwd *, const char **);
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 3e5706f4d..6dc5076ef 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -566,6 +566,7 @@ process_principals(FILE *f, char *file, struct passwd *pw,
        u_long linenum = 0;
        u_int i, found_principal = 0;
+        auth_start_parse_options();
        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                /* Always consume entire input */
                if (found_principal)
@@ -771,6 +772,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
        found_key = 0;
        found = NULL;
+        auth_start_parse_options();
        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                char *cp, *key_options = NULL, *fp = NULL;
                const char *reason = NULL;
@@ -921,6 +923,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
        if (key_cert_check_authority(key, 0, 1,
            use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
                goto fail_reason;
+        auth_start_parse_options();
        if (auth_cert_options(key, pw, &reason) != 0)
                goto fail_reason;
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:02 +0000
committer	Colin Watson <cjwatson@debian.org>	2017-03-29 01:39:47 +0100
commit	e08f96cf1105a3ee9a23de7102d593443e031e0c (patch)
tree	9c93015f3103621c06f793f2b35e040c08355fd4
parent	1e06dfb99d3a59ef0b0a804ed1c2a590b3fab71c (diff)