diff options
| author | Colin Watson <cjwatson@debian.org> | 2011-07-28 14:32:20 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2011-07-28 14:32:20 +0100 |
| commit | 7a15b74572af22c2642ce0b125a90f35a92a10b4 (patch) | |
| tree | 5a93c65cbc21e3657703863169a17390da156e6b /auth-options.c | |
| parent | b231e29fdc2c76309619e2fbc45e5779df4fe147 (diff) | |
Quieten logs when multiple from= restrictions are used in different
authorized_keys lines for the same key; it's still not ideal, but at
least you'll only get one log entry per key (closes: #630606).
Diffstat (limited to 'auth-options.c')
| -rw-r--r-- | auth-options.c | 35 |
1 files changed, 26 insertions, 9 deletions
diff --git a/auth-options.c b/auth-options.c index eae45cf2b..8d1ef0a18 100644 --- a/auth-options.c +++ b/auth-options.c | |||
| @@ -58,9 +58,20 @@ int forced_tun_device = -1; | |||
| 58 | /* "principals=" option. */ | 58 | /* "principals=" option. */ |
| 59 | char *authorized_principals = NULL; | 59 | char *authorized_principals = NULL; |
| 60 | 60 | ||
| 61 | /* Throttle log messages. */ | ||
| 62 | int logged_from_hostip = 0; | ||
| 63 | int logged_cert_hostip = 0; | ||
| 64 | |||
| 61 | extern ServerOptions options; | 65 | extern ServerOptions options; |
| 62 | 66 | ||
| 63 | void | 67 | void |
| 68 | auth_start_parse_options(void) | ||
| 69 | { | ||
| 70 | logged_from_hostip = 0; | ||
| 71 | logged_cert_hostip = 0; | ||
| 72 | } | ||
| 73 | |||
| 74 | void | ||
| 64 | auth_clear_options(void) | 75 | auth_clear_options(void) |
| 65 | { | 76 | { |
| 66 | no_agent_forwarding_flag = 0; | 77 | no_agent_forwarding_flag = 0; |
| @@ -288,10 +299,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
| 288 | /* FALLTHROUGH */ | 299 | /* FALLTHROUGH */ |
| 289 | case 0: | 300 | case 0: |
| 290 | xfree(patterns); | 301 | xfree(patterns); |
| 291 | logit("Authentication tried for %.100s with " | 302 | if (!logged_from_hostip) { |
| 292 | "correct key but not from a permitted " | 303 | logit("Authentication tried for %.100s with " |
| 293 | "host (host=%.200s, ip=%.200s).", | 304 | "correct key but not from a permitted " |
| 294 | pw->pw_name, remote_host, remote_ip); | 305 | "host (host=%.200s, ip=%.200s).", |
| 306 | pw->pw_name, remote_host, remote_ip); | ||
| 307 | logged_from_hostip = 1; | ||
| 308 | } | ||
| 295 | auth_debug_add("Your host '%.200s' is not " | 309 | auth_debug_add("Your host '%.200s' is not " |
| 296 | "permitted to use this key for login.", | 310 | "permitted to use this key for login.", |
| 297 | remote_host); | 311 | remote_host); |
| @@ -526,11 +540,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, | |||
| 526 | break; | 540 | break; |
| 527 | case 0: | 541 | case 0: |
| 528 | /* no match */ | 542 | /* no match */ |
| 529 | logit("Authentication tried for %.100s " | 543 | if (!logged_cert_hostip) { |
| 530 | "with valid certificate but not " | 544 | logit("Authentication tried for %.100s " |
| 531 | "from a permitted host " | 545 | "with valid certificate but not " |
| 532 | "(ip=%.200s).", pw->pw_name, | 546 | "from a permitted host " |
| 533 | remote_ip); | 547 | "(ip=%.200s).", pw->pw_name, |
| 548 | remote_ip); | ||
| 549 | logged_cert_hostip = 1; | ||
| 550 | } | ||
| 534 | auth_debug_add("Your address '%.200s' " | 551 | auth_debug_add("Your address '%.200s' " |
| 535 | "is not permitted to use this " | 552 | "is not permitted to use this " |
| 536 | "certificate for login.", | 553 | "certificate for login.", |