summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--auth-options.c35
-rw-r--r--auth-options.h1
-rw-r--r--auth-rsa.c2
-rw-r--r--auth2-pubkey.c3
4 files changed, 32 insertions, 9 deletions
diff --git a/auth-options.c b/auth-options.c
index 12e2e1dca..15c00d048 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -58,9 +58,20 @@ int forced_tun_device = -1;
58/* "principals=" option. */ 58/* "principals=" option. */
59char *authorized_principals = NULL; 59char *authorized_principals = NULL;
60 60
61/* Throttle log messages. */
62int logged_from_hostip = 0;
63int logged_cert_hostip = 0;
64
61extern ServerOptions options; 65extern ServerOptions options;
62 66
63void 67void
68auth_start_parse_options(void)
69{
70 logged_from_hostip = 0;
71 logged_cert_hostip = 0;
72}
73
74void
64auth_clear_options(void) 75auth_clear_options(void)
65{ 76{
66 no_agent_forwarding_flag = 0; 77 no_agent_forwarding_flag = 0;
@@ -288,10 +299,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
288 /* FALLTHROUGH */ 299 /* FALLTHROUGH */
289 case 0: 300 case 0:
290 free(patterns); 301 free(patterns);
291 logit("Authentication tried for %.100s with " 302 if (!logged_from_hostip) {
292 "correct key but not from a permitted " 303 logit("Authentication tried for %.100s with "
293 "host (host=%.200s, ip=%.200s).", 304 "correct key but not from a permitted "
294 pw->pw_name, remote_host, remote_ip); 305 "host (host=%.200s, ip=%.200s).",
306 pw->pw_name, remote_host, remote_ip);
307 logged_from_hostip = 1;
308 }
295 auth_debug_add("Your host '%.200s' is not " 309 auth_debug_add("Your host '%.200s' is not "
296 "permitted to use this key for login.", 310 "permitted to use this key for login.",
297 remote_host); 311 remote_host);
@@ -513,11 +527,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
513 break; 527 break;
514 case 0: 528 case 0:
515 /* no match */ 529 /* no match */
516 logit("Authentication tried for %.100s " 530 if (!logged_cert_hostip) {
517 "with valid certificate but not " 531 logit("Authentication tried for %.100s "
518 "from a permitted host " 532 "with valid certificate but not "
519 "(ip=%.200s).", pw->pw_name, 533 "from a permitted host "
520 remote_ip); 534 "(ip=%.200s).", pw->pw_name,
535 remote_ip);
536 logged_cert_hostip = 1;
537 }
521 auth_debug_add("Your address '%.200s' " 538 auth_debug_add("Your address '%.200s' "
522 "is not permitted to use this " 539 "is not permitted to use this "
523 "certificate for login.", 540 "certificate for login.",
diff --git a/auth-options.h b/auth-options.h
index 7455c9454..a3f0a02da 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -33,6 +33,7 @@ extern int forced_tun_device;
33extern int key_is_cert_authority; 33extern int key_is_cert_authority;
34extern char *authorized_principals; 34extern char *authorized_principals;
35 35
36void auth_start_parse_options(void);
36int auth_parse_options(struct passwd *, char *, char *, u_long); 37int auth_parse_options(struct passwd *, char *, char *, u_long);
37void auth_clear_options(void); 38void auth_clear_options(void);
38int auth_cert_options(Key *, struct passwd *); 39int auth_cert_options(Key *, struct passwd *);
diff --git a/auth-rsa.c b/auth-rsa.c
index 545aa496a..4624c1597 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -174,6 +174,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
174 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) 174 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
175 return 0; 175 return 0;
176 176
177 auth_start_parse_options();
178
177 /* 179 /*
178 * Go though the accepted keys, looking for the current key. If 180 * Go though the accepted keys, looking for the current key. If
179 * found, perform a challenge-response dialog to verify that the 181 * found, perform a challenge-response dialog to verify that the
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 2b3ecb104..4d87f4867 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -257,6 +257,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
257 restore_uid(); 257 restore_uid();
258 return 0; 258 return 0;
259 } 259 }
260 auth_start_parse_options();
260 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 261 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
261 /* Skip leading whitespace. */ 262 /* Skip leading whitespace. */
262 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 263 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@@ -318,6 +319,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
318 found_key = 0; 319 found_key = 0;
319 320
320 found = NULL; 321 found = NULL;
322 auth_start_parse_options();
321 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 323 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
322 char *cp, *key_options = NULL; 324 char *cp, *key_options = NULL;
323 if (found != NULL) 325 if (found != NULL)
@@ -453,6 +455,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
453 if (key_cert_check_authority(key, 0, 1, 455 if (key_cert_check_authority(key, 0, 1,
454 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) 456 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
455 goto fail_reason; 457 goto fail_reason;
458 auth_start_parse_options();
456 if (auth_cert_options(key, pw) != 0) 459 if (auth_cert_options(key, pw) != 0)
457 goto out; 460 goto out;
458 461