diff options
| -rw-r--r-- | auth-options.c | 35 | ||||
| -rw-r--r-- | auth-options.h | 1 | ||||
| -rw-r--r-- | auth2-pubkey.c | 3 |
3 files changed, 30 insertions, 9 deletions
diff --git a/auth-options.c b/auth-options.c index bed00eef0..ccdd0b20a 100644 --- a/auth-options.c +++ b/auth-options.c | |||
| @@ -59,11 +59,22 @@ int forced_tun_device = -1; | |||
| 59 | /* "principals=" option. */ | 59 | /* "principals=" option. */ |
| 60 | char *authorized_principals = NULL; | 60 | char *authorized_principals = NULL; |
| 61 | 61 | ||
| 62 | /* Throttle log messages. */ | ||
| 63 | int logged_from_hostip = 0; | ||
| 64 | int logged_cert_hostip = 0; | ||
| 65 | |||
| 62 | extern ServerOptions options; | 66 | extern ServerOptions options; |
| 63 | 67 | ||
| 64 | /* XXX refactor to be stateless */ | 68 | /* XXX refactor to be stateless */ |
| 65 | 69 | ||
| 66 | void | 70 | void |
| 71 | auth_start_parse_options(void) | ||
| 72 | { | ||
| 73 | logged_from_hostip = 0; | ||
| 74 | logged_cert_hostip = 0; | ||
| 75 | } | ||
| 76 | |||
| 77 | void | ||
| 67 | auth_clear_options(void) | 78 | auth_clear_options(void) |
| 68 | { | 79 | { |
| 69 | struct ssh *ssh = active_state; /* XXX */ | 80 | struct ssh *ssh = active_state; /* XXX */ |
| @@ -322,10 +333,13 @@ auth_parse_options(struct passwd *pw, char *opts, const char *file, | |||
| 322 | /* FALLTHROUGH */ | 333 | /* FALLTHROUGH */ |
| 323 | case 0: | 334 | case 0: |
| 324 | free(patterns); | 335 | free(patterns); |
| 325 | logit("Authentication tried for %.100s with " | 336 | if (!logged_from_hostip) { |
| 326 | "correct key but not from a permitted " | 337 | logit("Authentication tried for %.100s with " |
| 327 | "host (host=%.200s, ip=%.200s).", | 338 | "correct key but not from a permitted " |
| 328 | pw->pw_name, remote_host, remote_ip); | 339 | "host (host=%.200s, ip=%.200s).", |
| 340 | pw->pw_name, remote_host, remote_ip); | ||
| 341 | logged_from_hostip = 1; | ||
| 342 | } | ||
| 329 | auth_debug_add("Your host '%.200s' is not " | 343 | auth_debug_add("Your host '%.200s' is not " |
| 330 | "permitted to use this key for login.", | 344 | "permitted to use this key for login.", |
| 331 | remote_host); | 345 | remote_host); |
| @@ -549,11 +563,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, | |||
| 549 | break; | 563 | break; |
| 550 | case 0: | 564 | case 0: |
| 551 | /* no match */ | 565 | /* no match */ |
| 552 | logit("Authentication tried for %.100s " | 566 | if (!logged_cert_hostip) { |
| 553 | "with valid certificate but not " | 567 | logit("Authentication tried for %.100s " |
| 554 | "from a permitted host " | 568 | "with valid certificate but not " |
| 555 | "(ip=%.200s).", pw->pw_name, | 569 | "from a permitted host " |
| 556 | remote_ip); | 570 | "(ip=%.200s).", pw->pw_name, |
| 571 | remote_ip); | ||
| 572 | logged_cert_hostip = 1; | ||
| 573 | } | ||
| 557 | auth_debug_add("Your address '%.200s' " | 574 | auth_debug_add("Your address '%.200s' " |
| 558 | "is not permitted to use this " | 575 | "is not permitted to use this " |
| 559 | "certificate for login.", | 576 | "certificate for login.", |
diff --git a/auth-options.h b/auth-options.h index 547f01635..4de0f14dc 100644 --- a/auth-options.h +++ b/auth-options.h | |||
| @@ -33,6 +33,7 @@ extern int forced_tun_device; | |||
| 33 | extern int key_is_cert_authority; | 33 | extern int key_is_cert_authority; |
| 34 | extern char *authorized_principals; | 34 | extern char *authorized_principals; |
| 35 | 35 | ||
| 36 | void auth_start_parse_options(void); | ||
| 36 | int auth_parse_options(struct passwd *, char *, const char *, u_long); | 37 | int auth_parse_options(struct passwd *, char *, const char *, u_long); |
| 37 | void auth_clear_options(void); | 38 | void auth_clear_options(void); |
| 38 | int auth_cert_options(struct sshkey *, struct passwd *, const char **); | 39 | int auth_cert_options(struct sshkey *, struct passwd *, const char **); |
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 169839b01..43f880b6b 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
| @@ -269,6 +269,7 @@ process_principals(FILE *f, const char *file, struct passwd *pw, | |||
| 269 | u_long linenum = 0; | 269 | u_long linenum = 0; |
| 270 | u_int i, found_principal = 0; | 270 | u_int i, found_principal = 0; |
| 271 | 271 | ||
| 272 | auth_start_parse_options(); | ||
| 272 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 273 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
| 273 | /* Always consume entire input */ | 274 | /* Always consume entire input */ |
| 274 | if (found_principal) | 275 | if (found_principal) |
| @@ -471,6 +472,7 @@ check_authkeys_file(FILE *f, char *file, struct sshkey *key, struct passwd *pw) | |||
| 471 | u_long linenum = 0; | 472 | u_long linenum = 0; |
| 472 | struct sshkey *found = NULL; | 473 | struct sshkey *found = NULL; |
| 473 | 474 | ||
| 475 | auth_start_parse_options(); | ||
| 474 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 476 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
| 475 | char *cp, *key_options = NULL, *fp = NULL; | 477 | char *cp, *key_options = NULL, *fp = NULL; |
| 476 | const char *reason = NULL; | 478 | const char *reason = NULL; |
| @@ -624,6 +626,7 @@ user_cert_trusted_ca(struct passwd *pw, struct sshkey *key) | |||
| 624 | if (sshkey_cert_check_authority(key, 0, 1, | 626 | if (sshkey_cert_check_authority(key, 0, 1, |
| 625 | use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) | 627 | use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) |
| 626 | goto fail_reason; | 628 | goto fail_reason; |
| 629 | auth_start_parse_options(); | ||
| 627 | if (auth_cert_options(key, pw, &reason) != 0) | 630 | if (auth_cert_options(key, pw, &reason) != 0) |
| 628 | goto fail_reason; | 631 | goto fail_reason; |
| 629 | 632 | ||