7 files changed, 160 insertions, 9 deletions
diff --git a/auth-options.c b/auth-options.c
index eae45cf2b..8d1ef0a18 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -58,9 +58,20 @@ int forced_tun_device = -1;
 /* "principals=" option. */
 char *authorized_principals = NULL;
+/* Throttle log messages. */
+int logged_from_hostip = 0;
+int logged_cert_hostip = 0;
 extern ServerOptions options;
 void
+auth_start_parse_options(void)
+{
+        logged_from_hostip = 0;
+        logged_cert_hostip = 0;
+}
+void
 auth_clear_options(void)
 {
        no_agent_forwarding_flag = 0;
@@ -288,10 +299,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                                /* FALLTHROUGH */
                        case 0:
                                xfree(patterns);
-                                logit("Authentication tried for %.100s with "
+                                if (!logged_from_hostip) {
-                                    "correct key but not from a permitted "
+                                        logit("Authentication tried for %.100s with "
-                                    "host (host=%.200s, ip=%.200s).",
+                                            "correct key but not from a permitted "
-                                    pw->pw_name, remote_host, remote_ip);
+                                            "host (host=%.200s, ip=%.200s).",
+                                            pw->pw_name, remote_host, remote_ip);
+                                        logged_from_hostip = 1;
+                                }
                                auth_debug_add("Your host '%.200s' is not "
                                    "permitted to use this key for login.",
                                    remote_host);
@@ -526,11 +540,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
                                        break;
                                case 0:
                                        /* no match */
-                                        logit("Authentication tried for %.100s "
+                                        if (!logged_cert_hostip) {
-                                            "with valid certificate but not "
+                                                logit("Authentication tried for %.100s "
-                                            "from a permitted host "
+                                                    "with valid certificate but not "
-                                            "(ip=%.200s).", pw->pw_name,
+                                                    "from a permitted host "
-                                            remote_ip);
+                                                    "(ip=%.200s).", pw->pw_name,
+                                                    remote_ip);
+                                                logged_cert_hostip = 1;
+                                        }
                                        auth_debug_add("Your address '%.200s' "
                                            "is not permitted to use this "
                                            "certificate for login.",
diff --git a/auth-options.h b/auth-options.h
index 7455c9454..a3f0a02da 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -33,6 +33,7 @@ extern int forced_tun_device;
 extern int key_is_cert_authority;
 extern char *authorized_principals;
+void    auth_start_parse_options(void);
 int     auth_parse_options(struct passwd *, char *, char *, u_long);
 void    auth_clear_options(void);
 int     auth_cert_options(Key *, struct passwd *);
diff --git a/auth-rsa.c b/auth-rsa.c
index 323e875b8..ec32c803f 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -193,6 +193,8 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
        key = key_new(KEY_RSA1);
+        auth_start_parse_options();
        /*
         * Go though the accepted keys, looking for the current key.  If
         * found, perform a challenge-response dialog to verify that the
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 62a553612..dbf0d0d22 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -211,6 +211,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
                restore_uid();
                return 0;
        }
+        auth_start_parse_options();
        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                /* Skip leading whitespace. */
                for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@@ -280,6 +281,8 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
        found_key = 0;
        found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
+        auth_start_parse_options();
        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                char *cp, *key_options = NULL;
@@ -416,6 +419,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
        if (key_cert_check_authority(key, 0, 1,
            principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
                goto fail_reason;
+        auth_start_parse_options();
        if (auth_cert_options(key, pw) != 0)
                goto out;
diff --git a/debian/changelog b/debian/changelog
index 8d48ee108..3fd5cf016 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
 openssh (1:5.8p1-6) UNRELEASED; urgency=low
  * openssh-client and openssh-server Suggests: monkeysphere.
+  * Quieten logs when multiple from= restrictions are used in different
+    authorized_keys lines for the same key; it's still not ideal, but at
+    least you'll only get one log entry per key (closes: #630606).
 -- Colin Watson <cjwatson@debian.org>  Thu, 28 Jul 2011 11:57:27 +0100
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
new file mode 100644
index 000000000..7aea6690d
--- /dev/null
+++ b/debian/patches/auth-log-verbosity.patch
@@ -0,0 +1,123 @@
+Description: Quieten logs when multiple from= restrictions are used
+Author: Colin Watson <cjwatson@debian.org>
+Bug-Debian: http://bugs.debian.org/630606
+Forwarded: no
+Last-Update: 2011-07-28
+Index: b/auth-options.c
+===================================================================
+--- a/auth-options.c
+++ b/auth-options.c
+@@ -58,9 +58,20 @@
+ /* "principals=" option. */
+ char *authorized_principals = NULL;
+ 
+/* Throttle log messages. */
+int logged_from_hostip = 0;
+int logged_cert_hostip = 0;
+
+ extern ServerOptions options;
+ 
+ void
+auth_start_parse_options(void)
+{
+       logged_from_hostip = 0;
+       logged_cert_hostip = 0;
+}
+
+void
+ auth_clear_options(void)
+ {
+        no_agent_forwarding_flag = 0;
+@@ -288,10 +299,13 @@
+                                /* FALLTHROUGH */
+                        case 0:
+                                xfree(patterns);
+-                               logit("Authentication tried for %.100s with "
+-                                   "correct key but not from a permitted "
+-                                   "host (host=%.200s, ip=%.200s).",
+-                                   pw->pw_name, remote_host, remote_ip);
+                               if (!logged_from_hostip) {
+                                       logit("Authentication tried for %.100s with "
+                                           "correct key but not from a permitted "
+                                           "host (host=%.200s, ip=%.200s).",
+                                           pw->pw_name, remote_host, remote_ip);
+                                       logged_from_hostip = 1;
+                               }
+                                auth_debug_add("Your host '%.200s' is not "
+                                    "permitted to use this key for login.",
+                                    remote_host);
+@@ -526,11 +540,14 @@
+                                        break;
+                                case 0:
+                                        /* no match */
+-                                       logit("Authentication tried for %.100s "
+-                                           "with valid certificate but not "
+-                                           "from a permitted host "
+-                                           "(ip=%.200s).", pw->pw_name,
+-                                           remote_ip);
+                                       if (!logged_cert_hostip) {
+                                               logit("Authentication tried for %.100s "
+                                                   "with valid certificate but not "
+                                                   "from a permitted host "
+                                                   "(ip=%.200s).", pw->pw_name,
+                                                   remote_ip);
+                                               logged_cert_hostip = 1;
+                                       }
+                                        auth_debug_add("Your address '%.200s' "
+                                            "is not permitted to use this "
+                                            "certificate for login.",
+Index: b/auth-options.h
+===================================================================
+--- a/auth-options.h
+++ b/auth-options.h
+@@ -33,6 +33,7 @@
+ extern int key_is_cert_authority;
+ extern char *authorized_principals;
+ 
+void   auth_start_parse_options(void);
+ int    auth_parse_options(struct passwd *, char *, char *, u_long);
+ void   auth_clear_options(void);
+ int    auth_cert_options(Key *, struct passwd *);
+Index: b/auth-rsa.c
+===================================================================
+--- a/auth-rsa.c
+++ b/auth-rsa.c
+@@ -193,6 +193,8 @@
+ 
+        key = key_new(KEY_RSA1);
+ 
+       auth_start_parse_options();
+
+        /*
+         * Go though the accepted keys, looking for the current key.  If
+         * found, perform a challenge-response dialog to verify that the
+Index: b/auth2-pubkey.c
+===================================================================
+--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
+@@ -211,6 +211,7 @@
+                restore_uid();
+                return 0;
+        }
+       auth_start_parse_options();
+        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
+                /* Skip leading whitespace. */
+                for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
+@@ -280,6 +281,8 @@
+        found_key = 0;
+        found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
+ 
+       auth_start_parse_options();
+
+        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
+                char *cp, *key_options = NULL;
+ 
+@@ -416,6 +419,7 @@
+        if (key_cert_check_authority(key, 0, 1,
+            principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
+                goto fail_reason;
+       auth_start_parse_options();
+        if (auth_cert_options(key, pw) != 0)
+                goto out;
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 01ef70076..3450e4c55 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -40,6 +40,7 @@ doc-hash-tab-completion.patch
 selinux-build-failure.patch
 ssh-add-fifo.patch
 hostbased-ecdsa.patch
+auth-log-verbosity.patch
 # Debian-specific configuration
 gnome-ssh-askpass2-icon.patch

diff --git a/auth-options.c b/auth-options.c index eae45cf2b..8d1ef0a18 100644 --- a/auth-options.c +++ b/auth-options.c
@@ -58,9 +58,20 @@ int forced_tun_device = -1;
58	/* "principals=" option. */	58	/* "principals=" option. */
59	char *authorized_principals = NULL;	59	char *authorized_principals = NULL;
60		60
		61	/* Throttle log messages. */
		62	int logged_from_hostip = 0;
		63	int logged_cert_hostip = 0;
		64
61	extern ServerOptions options;	65	extern ServerOptions options;
62		66
63	void	67	void
		68	auth_start_parse_options(void)
		69	{
		70	logged_from_hostip = 0;
		71	logged_cert_hostip = 0;
		72	}
		73
		74	void
64	auth_clear_options(void)	75	auth_clear_options(void)
65	{	76	{
66	no_agent_forwarding_flag = 0;	77	no_agent_forwarding_flag = 0;
@@ -288,10 +299,13 @@ auth_parse_options(struct passwd pw, char opts, char *file, u_long linenum)
288	/* FALLTHROUGH */	299	/* FALLTHROUGH */
289	case 0:	300	case 0:
290	xfree(patterns);	301	xfree(patterns);
291	logit("Authentication tried for %.100s with "	302	if (!logged_from_hostip) {
292	"correct key but not from a permitted "	303	logit("Authentication tried for %.100s with "
293	"host (host=%.200s, ip=%.200s).",	304	"correct key but not from a permitted "
294	pw->pw_name, remote_host, remote_ip);	305	"host (host=%.200s, ip=%.200s).",
		306	pw->pw_name, remote_host, remote_ip);
		307	logged_from_hostip = 1;
		308	}
295	auth_debug_add("Your host '%.200s' is not "	309	auth_debug_add("Your host '%.200s' is not "
296	"permitted to use this key for login.",	310	"permitted to use this key for login.",
297	remote_host);	311	remote_host);
@@ -526,11 +540,14 @@ parse_option_list(u_char optblob, size_t optblob_len, struct passwd pw,
526	break;	540	break;
527	case 0:	541	case 0:
528	/* no match */	542	/* no match */
529	logit("Authentication tried for %.100s "	543	if (!logged_cert_hostip) {
530	"with valid certificate but not "	544	logit("Authentication tried for %.100s "
531	"from a permitted host "	545	"with valid certificate but not "
532	"(ip=%.200s).", pw->pw_name,	546	"from a permitted host "
533	remote_ip);	547	"(ip=%.200s).", pw->pw_name,
		548	remote_ip);
		549	logged_cert_hostip = 1;
		550	}
534	auth_debug_add("Your address '%.200s' "	551	auth_debug_add("Your address '%.200s' "
535	"is not permitted to use this "	552	"is not permitted to use this "
536	"certificate for login.",	553	"certificate for login.",


diff --git a/auth-options.h b/auth-options.h index 7455c9454..a3f0a02da 100644 --- a/auth-options.h +++ b/auth-options.h
@@ -33,6 +33,7 @@ extern int forced_tun_device;
33	extern int key_is_cert_authority;	33	extern int key_is_cert_authority;
34	extern char *authorized_principals;	34	extern char *authorized_principals;
35		35
		36	void auth_start_parse_options(void);
36	int auth_parse_options(struct passwd , char , char *, u_long);	37	int auth_parse_options(struct passwd , char , char *, u_long);
37	void auth_clear_options(void);	38	void auth_clear_options(void);
38	int auth_cert_options(Key , struct passwd );	39	int auth_cert_options(Key , struct passwd );


diff --git a/auth-rsa.c b/auth-rsa.c index 323e875b8..ec32c803f 100644 --- a/auth-rsa.c +++ b/auth-rsa.c
@@ -193,6 +193,8 @@ auth_rsa_key_allowed(struct passwd pw, BIGNUM client_n, Key **rkey)
193		193
194	key = key_new(KEY_RSA1);	194	key = key_new(KEY_RSA1);
195		195
		196	auth_start_parse_options();
		197
196	/*	198	/*
197	* Go though the accepted keys, looking for the current key. If	199	* Go though the accepted keys, looking for the current key. If
198	* found, perform a challenge-response dialog to verify that the	200	* found, perform a challenge-response dialog to verify that the


diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 62a553612..dbf0d0d22 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c
@@ -211,6 +211,7 @@ match_principals_file(char file, struct passwd pw, struct KeyCert *cert)
211	restore_uid();	211	restore_uid();
212	return 0;	212	return 0;
213	}	213	}
		214	auth_start_parse_options();
214	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {	215	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
215	/* Skip leading whitespace. */	216	/* Skip leading whitespace. */
216	for (cp = line; cp == ' ' \|\| cp == '\t'; cp++)	217	for (cp = line; cp == ' ' \|\| cp == '\t'; cp++)
@@ -280,6 +281,8 @@ user_key_allowed2(struct passwd pw, Key key, char *file)
280	found_key = 0;	281	found_key = 0;
281	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);	282	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
282		283
		284	auth_start_parse_options();
		285
283	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {	286	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
284	char cp, key_options = NULL;	287	char cp, key_options = NULL;
285		288
@@ -416,6 +419,7 @@ user_cert_trusted_ca(struct passwd pw, Key key)
416	if (key_cert_check_authority(key, 0, 1,	419	if (key_cert_check_authority(key, 0, 1,
417	principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)	420	principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
418	goto fail_reason;	421	goto fail_reason;
		422	auth_start_parse_options();
419	if (auth_cert_options(key, pw) != 0)	423	if (auth_cert_options(key, pw) != 0)
420	goto out;	424	goto out;
421		425


diff --git a/debian/changelog b/debian/changelog index 8d48ee108..3fd5cf016 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -1,6 +1,9 @@
1	openssh (1:5.8p1-6) UNRELEASED; urgency=low	1	openssh (1:5.8p1-6) UNRELEASED; urgency=low
2		2
3	* openssh-client and openssh-server Suggests: monkeysphere.	3	* openssh-client and openssh-server Suggests: monkeysphere.
		4	* Quieten logs when multiple from= restrictions are used in different
		5	authorized_keys lines for the same key; it's still not ideal, but at
		6	least you'll only get one log entry per key (closes: #630606).
4		7
5	-- Colin Watson <cjwatson@debian.org> Thu, 28 Jul 2011 11:57:27 +0100	8	-- Colin Watson <cjwatson@debian.org> Thu, 28 Jul 2011 11:57:27 +0100
6		9


diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch new file mode 100644 index 000000000..7aea6690d --- /dev/null +++ b/debian/patches/auth-log-verbosity.patch
@@ -0,0 +1,123 @@
		1	Description: Quieten logs when multiple from= restrictions are used
		2	Author: Colin Watson <cjwatson@debian.org>
		3	Bug-Debian: http://bugs.debian.org/630606
		4	Forwarded: no
		5	Last-Update: 2011-07-28
		6
		7	Index: b/auth-options.c
		8	===================================================================
		9	--- a/auth-options.c
		10	+++ b/auth-options.c
		11	@@ -58,9 +58,20 @@
		12	/* "principals=" option. */
		13	char *authorized_principals = NULL;
		14
		15	+/* Throttle log messages. */
		16	+int logged_from_hostip = 0;
		17	+int logged_cert_hostip = 0;
		18	+
		19	extern ServerOptions options;
		20
		21	void
		22	+auth_start_parse_options(void)
		23	+{
		24	+ logged_from_hostip = 0;
		25	+ logged_cert_hostip = 0;
		26	+}
		27	+
		28	+void
		29	auth_clear_options(void)
		30	{
		31	no_agent_forwarding_flag = 0;
		32	@@ -288,10 +299,13 @@
		33	/* FALLTHROUGH */
		34	case 0:
		35	xfree(patterns);
		36	- logit("Authentication tried for %.100s with "
		37	- "correct key but not from a permitted "
		38	- "host (host=%.200s, ip=%.200s).",
		39	- pw->pw_name, remote_host, remote_ip);
		40	+ if (!logged_from_hostip) {
		41	+ logit("Authentication tried for %.100s with "
		42	+ "correct key but not from a permitted "
		43	+ "host (host=%.200s, ip=%.200s).",
		44	+ pw->pw_name, remote_host, remote_ip);
		45	+ logged_from_hostip = 1;
		46	+ }
		47	auth_debug_add("Your host '%.200s' is not "
		48	"permitted to use this key for login.",
		49	remote_host);
		50	@@ -526,11 +540,14 @@
		51	break;
		52	case 0:
		53	/* no match */
		54	- logit("Authentication tried for %.100s "
		55	- "with valid certificate but not "
		56	- "from a permitted host "
		57	- "(ip=%.200s).", pw->pw_name,
		58	- remote_ip);
		59	+ if (!logged_cert_hostip) {
		60	+ logit("Authentication tried for %.100s "
		61	+ "with valid certificate but not "
		62	+ "from a permitted host "
		63	+ "(ip=%.200s).", pw->pw_name,
		64	+ remote_ip);
		65	+ logged_cert_hostip = 1;
		66	+ }
		67	auth_debug_add("Your address '%.200s' "
		68	"is not permitted to use this "
		69	"certificate for login.",
		70	Index: b/auth-options.h
		71	===================================================================
		72	--- a/auth-options.h
		73	+++ b/auth-options.h
		74	@@ -33,6 +33,7 @@
		75	extern int key_is_cert_authority;
		76	extern char *authorized_principals;
		77
		78	+void auth_start_parse_options(void);
		79	int auth_parse_options(struct passwd , char , char *, u_long);
		80	void auth_clear_options(void);
		81	int auth_cert_options(Key , struct passwd );
		82	Index: b/auth-rsa.c
		83	===================================================================
		84	--- a/auth-rsa.c
		85	+++ b/auth-rsa.c
		86	@@ -193,6 +193,8 @@
		87
		88	key = key_new(KEY_RSA1);
		89
		90	+ auth_start_parse_options();
		91	+
		92	/*
		93	* Go though the accepted keys, looking for the current key. If
		94	* found, perform a challenge-response dialog to verify that the
		95	Index: b/auth2-pubkey.c
		96	===================================================================
		97	--- a/auth2-pubkey.c
		98	+++ b/auth2-pubkey.c
		99	@@ -211,6 +211,7 @@
		100	restore_uid();
		101	return 0;
		102	}
		103	+ auth_start_parse_options();
		104	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
		105	/* Skip leading whitespace. */
		106	for (cp = line; cp == ' ' \|\| cp == '\t'; cp++)
		107	@@ -280,6 +281,8 @@
		108	found_key = 0;
		109	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
		110
		111	+ auth_start_parse_options();
		112	+
		113	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
		114	char cp, key_options = NULL;
		115
		116	@@ -416,6 +419,7 @@
		117	if (key_cert_check_authority(key, 0, 1,
		118	principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
		119	goto fail_reason;
		120	+ auth_start_parse_options();
		121	if (auth_cert_options(key, pw) != 0)
		122	goto out;
		123


diff --git a/debian/patches/series b/debian/patches/series index 01ef70076..3450e4c55 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -40,6 +40,7 @@ doc-hash-tab-completion.patch
40	selinux-build-failure.patch	40	selinux-build-failure.patch
41	ssh-add-fifo.patch	41	ssh-add-fifo.patch
42	hostbased-ecdsa.patch	42	hostbased-ecdsa.patch
		43	auth-log-verbosity.patch
43		44
44	# Debian-specific configuration	45	# Debian-specific configuration
45	gnome-ssh-askpass2-icon.patch	46	gnome-ssh-askpass2-icon.patch