Quieten logs when multiple from= restrictions are used in different

authorized_keys lines for the same key; it's still not ideal, but at least you'll only get one log entry per key (closes: #630606).
author: Colin Watson <cjwatson@debian.org> 2011-07-28 14:32:20 +0100
committer: Colin Watson <cjwatson@debian.org> 2011-07-28 14:32:20 +0100
commit: 7a15b74572af22c2642ce0b125a90f35a92a10b4 (patch)
tree: 5a93c65cbc21e3657703863169a17390da156e6b /debian/patches/auth-log-verbosity.patch
parent: b231e29fdc2c76309619e2fbc45e5779df4fe147 (diff)
1 files changed, 123 insertions, 0 deletions
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
new file mode 100644
index 000000000..7aea6690d
--- /dev/null
+++ b/debian/patches/auth-log-verbosity.patch
@@ -0,0 +1,123 @@
+Description: Quieten logs when multiple from= restrictions are used
+Author: Colin Watson <cjwatson@debian.org>
+Bug-Debian: http://bugs.debian.org/630606
+Forwarded: no
+Last-Update: 2011-07-28
+Index: b/auth-options.c
+===================================================================
+--- a/auth-options.c
+++ b/auth-options.c
+@@ -58,9 +58,20 @@
+ /* "principals=" option. */
+ char *authorized_principals = NULL;
+ 
+/* Throttle log messages. */
+int logged_from_hostip = 0;
+int logged_cert_hostip = 0;
+
+ extern ServerOptions options;
+ 
+ void
+auth_start_parse_options(void)
+{
+       logged_from_hostip = 0;
+       logged_cert_hostip = 0;
+}
+
+void
+ auth_clear_options(void)
+ {
+        no_agent_forwarding_flag = 0;
+@@ -288,10 +299,13 @@
+                                /* FALLTHROUGH */
+                        case 0:
+                                xfree(patterns);
+-                               logit("Authentication tried for %.100s with "
+-                                   "correct key but not from a permitted "
+-                                   "host (host=%.200s, ip=%.200s).",
+-                                   pw->pw_name, remote_host, remote_ip);
+                               if (!logged_from_hostip) {
+                                       logit("Authentication tried for %.100s with "
+                                           "correct key but not from a permitted "
+                                           "host (host=%.200s, ip=%.200s).",
+                                           pw->pw_name, remote_host, remote_ip);
+                                       logged_from_hostip = 1;
+                               }
+                                auth_debug_add("Your host '%.200s' is not "
+                                    "permitted to use this key for login.",
+                                    remote_host);
+@@ -526,11 +540,14 @@
+                                        break;
+                                case 0:
+                                        /* no match */
+-                                       logit("Authentication tried for %.100s "
+-                                           "with valid certificate but not "
+-                                           "from a permitted host "
+-                                           "(ip=%.200s).", pw->pw_name,
+-                                           remote_ip);
+                                       if (!logged_cert_hostip) {
+                                               logit("Authentication tried for %.100s "
+                                                   "with valid certificate but not "
+                                                   "from a permitted host "
+                                                   "(ip=%.200s).", pw->pw_name,
+                                                   remote_ip);
+                                               logged_cert_hostip = 1;
+                                       }
+                                        auth_debug_add("Your address '%.200s' "
+                                            "is not permitted to use this "
+                                            "certificate for login.",
+Index: b/auth-options.h
+===================================================================
+--- a/auth-options.h
+++ b/auth-options.h
+@@ -33,6 +33,7 @@
+ extern int key_is_cert_authority;
+ extern char *authorized_principals;
+ 
+void   auth_start_parse_options(void);
+ int    auth_parse_options(struct passwd *, char *, char *, u_long);
+ void   auth_clear_options(void);
+ int    auth_cert_options(Key *, struct passwd *);
+Index: b/auth-rsa.c
+===================================================================
+--- a/auth-rsa.c
+++ b/auth-rsa.c
+@@ -193,6 +193,8 @@
+ 
+        key = key_new(KEY_RSA1);
+ 
+       auth_start_parse_options();
+
+        /*
+         * Go though the accepted keys, looking for the current key.  If
+         * found, perform a challenge-response dialog to verify that the
+Index: b/auth2-pubkey.c
+===================================================================
+--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
+@@ -211,6 +211,7 @@
+                restore_uid();
+                return 0;
+        }
+       auth_start_parse_options();
+        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
+                /* Skip leading whitespace. */
+                for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
+@@ -280,6 +281,8 @@
+        found_key = 0;
+        found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
+ 
+       auth_start_parse_options();
+
+        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
+                char *cp, *key_options = NULL;
+ 
+@@ -416,6 +419,7 @@
+        if (key_cert_check_authority(key, 0, 1,
+            principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
+                goto fail_reason;
+       auth_start_parse_options();
+        if (auth_cert_options(key, pw) != 0)
+                goto out;
+
author	Colin Watson <cjwatson@debian.org>	2011-07-28 14:32:20 +0100
committer	Colin Watson <cjwatson@debian.org>	2011-07-28 14:32:20 +0100
commit	7a15b74572af22c2642ce0b125a90f35a92a10b4 (patch)
tree	5a93c65cbc21e3657703863169a17390da156e6b /debian/patches/auth-log-verbosity.patch
parent	b231e29fdc2c76309619e2fbc45e5779df4fe147 (diff)

diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch new file mode 100644 index 000000000..7aea6690d --- /dev/null +++ b/debian/patches/auth-log-verbosity.patch
@@ -0,0 +1,123 @@
	1	Description: Quieten logs when multiple from= restrictions are used
	2	Author: Colin Watson <cjwatson@debian.org>
	3	Bug-Debian: http://bugs.debian.org/630606
	4	Forwarded: no
	5	Last-Update: 2011-07-28
	6
	7	Index: b/auth-options.c
	8	===================================================================
	9	--- a/auth-options.c
	10	+++ b/auth-options.c
	11	@@ -58,9 +58,20 @@
	12	/* "principals=" option. */
	13	char *authorized_principals = NULL;
	14
	15	+/* Throttle log messages. */
	16	+int logged_from_hostip = 0;
	17	+int logged_cert_hostip = 0;
	18	+
	19	extern ServerOptions options;
	20
	21	void
	22	+auth_start_parse_options(void)
	23	+{
	24	+ logged_from_hostip = 0;
	25	+ logged_cert_hostip = 0;
	26	+}
	27	+
	28	+void
	29	auth_clear_options(void)
	30	{
	31	no_agent_forwarding_flag = 0;
	32	@@ -288,10 +299,13 @@
	33	/* FALLTHROUGH */
	34	case 0:
	35	xfree(patterns);
	36	- logit("Authentication tried for %.100s with "
	37	- "correct key but not from a permitted "
	38	- "host (host=%.200s, ip=%.200s).",
	39	- pw->pw_name, remote_host, remote_ip);
	40	+ if (!logged_from_hostip) {
	41	+ logit("Authentication tried for %.100s with "
	42	+ "correct key but not from a permitted "
	43	+ "host (host=%.200s, ip=%.200s).",
	44	+ pw->pw_name, remote_host, remote_ip);
	45	+ logged_from_hostip = 1;
	46	+ }
	47	auth_debug_add("Your host '%.200s' is not "
	48	"permitted to use this key for login.",
	49	remote_host);
	50	@@ -526,11 +540,14 @@
	51	break;
	52	case 0:
	53	/* no match */
	54	- logit("Authentication tried for %.100s "
	55	- "with valid certificate but not "
	56	- "from a permitted host "
	57	- "(ip=%.200s).", pw->pw_name,
	58	- remote_ip);
	59	+ if (!logged_cert_hostip) {
	60	+ logit("Authentication tried for %.100s "
	61	+ "with valid certificate but not "
	62	+ "from a permitted host "
	63	+ "(ip=%.200s).", pw->pw_name,
	64	+ remote_ip);
	65	+ logged_cert_hostip = 1;
	66	+ }
	67	auth_debug_add("Your address '%.200s' "
	68	"is not permitted to use this "
	69	"certificate for login.",
	70	Index: b/auth-options.h
	71	===================================================================
	72	--- a/auth-options.h
	73	+++ b/auth-options.h
	74	@@ -33,6 +33,7 @@
	75	extern int key_is_cert_authority;
	76	extern char *authorized_principals;
	77
	78	+void auth_start_parse_options(void);
	79	int auth_parse_options(struct passwd , char , char *, u_long);
	80	void auth_clear_options(void);
	81	int auth_cert_options(Key , struct passwd );
	82	Index: b/auth-rsa.c
	83	===================================================================
	84	--- a/auth-rsa.c
	85	+++ b/auth-rsa.c
	86	@@ -193,6 +193,8 @@
	87
	88	key = key_new(KEY_RSA1);
	89
	90	+ auth_start_parse_options();
	91	+
	92	/*
	93	* Go though the accepted keys, looking for the current key. If
	94	* found, perform a challenge-response dialog to verify that the
	95	Index: b/auth2-pubkey.c
	96	===================================================================
	97	--- a/auth2-pubkey.c
	98	+++ b/auth2-pubkey.c
	99	@@ -211,6 +211,7 @@
	100	restore_uid();
	101	return 0;
	102	}
	103	+ auth_start_parse_options();
	104	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
	105	/* Skip leading whitespace. */
	106	for (cp = line; cp == ' ' \|\| cp == '\t'; cp++)
	107	@@ -280,6 +281,8 @@
	108	found_key = 0;
	109	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
	110
	111	+ auth_start_parse_options();
	112	+
	113	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
	114	char cp, key_options = NULL;
	115
	116	@@ -416,6 +419,7 @@
	117	if (key_cert_check_authority(key, 0, 1,
	118	principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
	119	goto fail_reason;
	120	+ auth_start_parse_options();
	121	if (auth_cert_options(key, pw) != 0)
	122	goto out;
	123