1 files changed, 133 insertions, 0 deletions
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
new file mode 100644
index 000000000..dc82a6085
--- /dev/null
+++ b/debian/patches/auth-log-verbosity.patch
@@ -0,0 +1,133 @@
+From bede2f8c8a352b57ae5188fe6d3e45c5a57892eb Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:10:02 +0000
+Subject: Quieten logs when multiple from= restrictions are used
+Bug-Debian: http://bugs.debian.org/630606
+Forwarded: no
+Last-Update: 2013-09-14
+Patch-Name: auth-log-verbosity.patch
+---
+ auth-options.c | 35 ++++++++++++++++++++++++++---------
+ auth-options.h |  1 +
+ auth-rsa.c     |  2 ++
+ auth2-pubkey.c |  3 +++
+ 4 files changed, 32 insertions(+), 9 deletions(-)
+diff --git a/auth-options.c b/auth-options.c
+index e387697..f1e3ddf 100644
+--- a/auth-options.c
+++ b/auth-options.c
+@@ -58,9 +58,20 @@ int forced_tun_device = -1;
+ /* "principals=" option. */
+ char *authorized_principals = NULL;
+ 
+/* Throttle log messages. */
+int logged_from_hostip = 0;
+int logged_cert_hostip = 0;
+
+ extern ServerOptions options;
+ 
+ void
+auth_start_parse_options(void)
+{
+       logged_from_hostip = 0;
+       logged_cert_hostip = 0;
+}
+
+void
+ auth_clear_options(void)
+ {
+        no_agent_forwarding_flag = 0;
+@@ -293,10 +304,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
+                                /* FALLTHROUGH */
+                        case 0:
+                                free(patterns);
+-                               logit("Authentication tried for %.100s with "
+-                                   "correct key but not from a permitted "
+-                                   "host (host=%.200s, ip=%.200s).",
+-                                   pw->pw_name, remote_host, remote_ip);
+                               if (!logged_from_hostip) {
+                                       logit("Authentication tried for %.100s with "
+                                           "correct key but not from a permitted "
+                                           "host (host=%.200s, ip=%.200s).",
+                                           pw->pw_name, remote_host, remote_ip);
+                                       logged_from_hostip = 1;
+                               }
+                                auth_debug_add("Your host '%.200s' is not "
+                                    "permitted to use this key for login.",
+                                    remote_host);
+@@ -519,11 +533,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
+                                        break;
+                                case 0:
+                                        /* no match */
+-                                       logit("Authentication tried for %.100s "
+-                                           "with valid certificate but not "
+-                                           "from a permitted host "
+-                                           "(ip=%.200s).", pw->pw_name,
+-                                           remote_ip);
+                                       if (!logged_cert_hostip) {
+                                               logit("Authentication tried for %.100s "
+                                                   "with valid certificate but not "
+                                                   "from a permitted host "
+                                                   "(ip=%.200s).", pw->pw_name,
+                                                   remote_ip);
+                                               logged_cert_hostip = 1;
+                                       }
+                                        auth_debug_add("Your address '%.200s' "
+                                            "is not permitted to use this "
+                                            "certificate for login.",
+diff --git a/auth-options.h b/auth-options.h
+index 34852e5..1653855 100644
+--- a/auth-options.h
+++ b/auth-options.h
+@@ -33,6 +33,7 @@ extern int forced_tun_device;
+ extern int key_is_cert_authority;
+ extern char *authorized_principals;
+ 
+void   auth_start_parse_options(void);
+ int    auth_parse_options(struct passwd *, char *, char *, u_long);
+ void   auth_clear_options(void);
+ int    auth_cert_options(struct sshkey *, struct passwd *);
+diff --git a/auth-rsa.c b/auth-rsa.c
+index cbd971b..4cf2163 100644
+--- a/auth-rsa.c
+++ b/auth-rsa.c
+@@ -181,6 +181,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
+        if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
+                return 0;
+ 
+       auth_start_parse_options();
+
+        /*
+         * Go though the accepted keys, looking for the current key.  If
+         * found, perform a challenge-response dialog to verify that the
+diff --git a/auth2-pubkey.c b/auth2-pubkey.c
+index 5aa319c..1eee161 100644
+--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
+@@ -561,6 +561,7 @@ process_principals(FILE *f, char *file, struct passwd *pw,
+        u_long linenum = 0;
+        u_int i;
+ 
+       auth_start_parse_options();
+        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
+                /* Skip leading whitespace. */
+                for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
+@@ -726,6 +727,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
+        found_key = 0;
+ 
+        found = NULL;
+       auth_start_parse_options();
+        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
+                char *cp, *key_options = NULL;
+                if (found != NULL)
+@@ -872,6 +874,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
+        if (key_cert_check_authority(key, 0, 1,
+            use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
+                goto fail_reason;
+       auth_start_parse_options();
+        if (auth_cert_options(key, pw) != 0)
+                goto out;
+

diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch new file mode 100644 index 000000000..dc82a6085 --- /dev/null +++ b/debian/patches/auth-log-verbosity.patch
@@ -0,0 +1,133 @@
	1	From bede2f8c8a352b57ae5188fe6d3e45c5a57892eb Mon Sep 17 00:00:00 2001
	2	From: Colin Watson <cjwatson@debian.org>
	3	Date: Sun, 9 Feb 2014 16:10:02 +0000
	4	Subject: Quieten logs when multiple from= restrictions are used
	5
	6	Bug-Debian: http://bugs.debian.org/630606
	7	Forwarded: no
	8	Last-Update: 2013-09-14
	9
	10	Patch-Name: auth-log-verbosity.patch
	11	---
	12	auth-options.c \| 35 ++++++++++++++++++++++++++---------
	13	auth-options.h \| 1 +
	14	auth-rsa.c \| 2 ++
	15	auth2-pubkey.c \| 3 +++
	16	4 files changed, 32 insertions(+), 9 deletions(-)
	17
	18	diff --git a/auth-options.c b/auth-options.c
	19	index e387697..f1e3ddf 100644
	20	--- a/auth-options.c
	21	+++ b/auth-options.c
	22	@@ -58,9 +58,20 @@ int forced_tun_device = -1;
	23	/* "principals=" option. */
	24	char *authorized_principals = NULL;
	25
	26	+/* Throttle log messages. */
	27	+int logged_from_hostip = 0;
	28	+int logged_cert_hostip = 0;
	29	+
	30	extern ServerOptions options;
	31
	32	void
	33	+auth_start_parse_options(void)
	34	+{
	35	+ logged_from_hostip = 0;
	36	+ logged_cert_hostip = 0;
	37	+}
	38	+
	39	+void
	40	auth_clear_options(void)
	41	{
	42	no_agent_forwarding_flag = 0;
	43	@@ -293,10 +304,13 @@ auth_parse_options(struct passwd pw, char opts, char *file, u_long linenum)
	44	/* FALLTHROUGH */
	45	case 0:
	46	free(patterns);
	47	- logit("Authentication tried for %.100s with "
	48	- "correct key but not from a permitted "
	49	- "host (host=%.200s, ip=%.200s).",
	50	- pw->pw_name, remote_host, remote_ip);
	51	+ if (!logged_from_hostip) {
	52	+ logit("Authentication tried for %.100s with "
	53	+ "correct key but not from a permitted "
	54	+ "host (host=%.200s, ip=%.200s).",
	55	+ pw->pw_name, remote_host, remote_ip);
	56	+ logged_from_hostip = 1;
	57	+ }
	58	auth_debug_add("Your host '%.200s' is not "
	59	"permitted to use this key for login.",
	60	remote_host);
	61	@@ -519,11 +533,14 @@ parse_option_list(struct sshbuf oblob, struct passwd pw,
	62	break;
	63	case 0:
	64	/* no match */
	65	- logit("Authentication tried for %.100s "
	66	- "with valid certificate but not "
	67	- "from a permitted host "
	68	- "(ip=%.200s).", pw->pw_name,
	69	- remote_ip);
	70	+ if (!logged_cert_hostip) {
	71	+ logit("Authentication tried for %.100s "
	72	+ "with valid certificate but not "
	73	+ "from a permitted host "
	74	+ "(ip=%.200s).", pw->pw_name,
	75	+ remote_ip);
	76	+ logged_cert_hostip = 1;
	77	+ }
	78	auth_debug_add("Your address '%.200s' "
	79	"is not permitted to use this "
	80	"certificate for login.",
	81	diff --git a/auth-options.h b/auth-options.h
	82	index 34852e5..1653855 100644
	83	--- a/auth-options.h
	84	+++ b/auth-options.h
	85	@@ -33,6 +33,7 @@ extern int forced_tun_device;
	86	extern int key_is_cert_authority;
	87	extern char *authorized_principals;
	88
	89	+void auth_start_parse_options(void);
	90	int auth_parse_options(struct passwd , char , char *, u_long);
	91	void auth_clear_options(void);
	92	int auth_cert_options(struct sshkey , struct passwd );
	93	diff --git a/auth-rsa.c b/auth-rsa.c
	94	index cbd971b..4cf2163 100644
	95	--- a/auth-rsa.c
	96	+++ b/auth-rsa.c
	97	@@ -181,6 +181,8 @@ rsa_key_allowed_in_file(struct passwd pw, char file,
	98	if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
	99	return 0;
	100
	101	+ auth_start_parse_options();
	102	+
	103	/*
	104	* Go though the accepted keys, looking for the current key. If
	105	* found, perform a challenge-response dialog to verify that the
	106	diff --git a/auth2-pubkey.c b/auth2-pubkey.c
	107	index 5aa319c..1eee161 100644
	108	--- a/auth2-pubkey.c
	109	+++ b/auth2-pubkey.c
	110	@@ -561,6 +561,7 @@ process_principals(FILE f, char file, struct passwd *pw,
	111	u_long linenum = 0;
	112	u_int i;
	113
	114	+ auth_start_parse_options();
	115	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
	116	/* Skip leading whitespace. */
	117	for (cp = line; cp == ' ' \|\| cp == '\t'; cp++)
	118	@@ -726,6 +727,7 @@ check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw)
	119	found_key = 0;
	120
	121	found = NULL;
	122	+ auth_start_parse_options();
	123	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
	124	char cp, key_options = NULL;
	125	if (found != NULL)
	126	@@ -872,6 +874,7 @@ user_cert_trusted_ca(struct passwd pw, Key key)
	127	if (key_cert_check_authority(key, 0, 1,
	128	use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
	129	goto fail_reason;
	130	+ auth_start_parse_options();
	131	if (auth_cert_options(key, pw) != 0)
	132	goto out;
	133