diff options
Diffstat (limited to 'debian/patches/auth-log-verbosity.patch')
-rw-r--r-- | debian/patches/auth-log-verbosity.patch | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch new file mode 100644 index 000000000..d025cf7eb --- /dev/null +++ b/debian/patches/auth-log-verbosity.patch | |||
@@ -0,0 +1,119 @@ | |||
1 | From f7088f0a3d04473cfdcf11fe6b084b81beb7041c Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Watson <cjwatson@debian.org> | ||
3 | Date: Sun, 9 Feb 2014 16:10:02 +0000 | ||
4 | Subject: Quieten logs when multiple from= restrictions are used | ||
5 | |||
6 | Bug-Debian: http://bugs.debian.org/630606 | ||
7 | Forwarded: no | ||
8 | Last-Update: 2013-09-14 | ||
9 | |||
10 | Patch-Name: auth-log-verbosity.patch | ||
11 | --- | ||
12 | auth-options.c | 35 ++++++++++++++++++++++++++--------- | ||
13 | auth-options.h | 1 + | ||
14 | auth2-pubkey.c | 3 +++ | ||
15 | 3 files changed, 30 insertions(+), 9 deletions(-) | ||
16 | |||
17 | diff --git a/auth-options.c b/auth-options.c | ||
18 | index 57b49f7f..7eb87b35 100644 | ||
19 | --- a/auth-options.c | ||
20 | +++ b/auth-options.c | ||
21 | @@ -59,9 +59,20 @@ int forced_tun_device = -1; | ||
22 | /* "principals=" option. */ | ||
23 | char *authorized_principals = NULL; | ||
24 | |||
25 | +/* Throttle log messages. */ | ||
26 | +int logged_from_hostip = 0; | ||
27 | +int logged_cert_hostip = 0; | ||
28 | + | ||
29 | extern ServerOptions options; | ||
30 | |||
31 | void | ||
32 | +auth_start_parse_options(void) | ||
33 | +{ | ||
34 | + logged_from_hostip = 0; | ||
35 | + logged_cert_hostip = 0; | ||
36 | +} | ||
37 | + | ||
38 | +void | ||
39 | auth_clear_options(void) | ||
40 | { | ||
41 | no_agent_forwarding_flag = 0; | ||
42 | @@ -316,10 +327,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | ||
43 | /* FALLTHROUGH */ | ||
44 | case 0: | ||
45 | free(patterns); | ||
46 | - logit("Authentication tried for %.100s with " | ||
47 | - "correct key but not from a permitted " | ||
48 | - "host (host=%.200s, ip=%.200s).", | ||
49 | - pw->pw_name, remote_host, remote_ip); | ||
50 | + if (!logged_from_hostip) { | ||
51 | + logit("Authentication tried for %.100s with " | ||
52 | + "correct key but not from a permitted " | ||
53 | + "host (host=%.200s, ip=%.200s).", | ||
54 | + pw->pw_name, remote_host, remote_ip); | ||
55 | + logged_from_hostip = 1; | ||
56 | + } | ||
57 | auth_debug_add("Your host '%.200s' is not " | ||
58 | "permitted to use this key for login.", | ||
59 | remote_host); | ||
60 | @@ -543,11 +557,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, | ||
61 | break; | ||
62 | case 0: | ||
63 | /* no match */ | ||
64 | - logit("Authentication tried for %.100s " | ||
65 | - "with valid certificate but not " | ||
66 | - "from a permitted host " | ||
67 | - "(ip=%.200s).", pw->pw_name, | ||
68 | - remote_ip); | ||
69 | + if (!logged_cert_hostip) { | ||
70 | + logit("Authentication tried for %.100s " | ||
71 | + "with valid certificate but not " | ||
72 | + "from a permitted host " | ||
73 | + "(ip=%.200s).", pw->pw_name, | ||
74 | + remote_ip); | ||
75 | + logged_cert_hostip = 1; | ||
76 | + } | ||
77 | auth_debug_add("Your address '%.200s' " | ||
78 | "is not permitted to use this " | ||
79 | "certificate for login.", | ||
80 | diff --git a/auth-options.h b/auth-options.h | ||
81 | index 52cbb42a..82355276 100644 | ||
82 | --- a/auth-options.h | ||
83 | +++ b/auth-options.h | ||
84 | @@ -33,6 +33,7 @@ extern int forced_tun_device; | ||
85 | extern int key_is_cert_authority; | ||
86 | extern char *authorized_principals; | ||
87 | |||
88 | +void auth_start_parse_options(void); | ||
89 | int auth_parse_options(struct passwd *, char *, char *, u_long); | ||
90 | void auth_clear_options(void); | ||
91 | int auth_cert_options(struct sshkey *, struct passwd *, const char **); | ||
92 | diff --git a/auth2-pubkey.c b/auth2-pubkey.c | ||
93 | index 20f3309e..add77136 100644 | ||
94 | --- a/auth2-pubkey.c | ||
95 | +++ b/auth2-pubkey.c | ||
96 | @@ -566,6 +566,7 @@ process_principals(FILE *f, char *file, struct passwd *pw, | ||
97 | u_long linenum = 0; | ||
98 | u_int i; | ||
99 | |||
100 | + auth_start_parse_options(); | ||
101 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | ||
102 | /* Skip leading whitespace. */ | ||
103 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) | ||
104 | @@ -764,6 +765,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) | ||
105 | found_key = 0; | ||
106 | |||
107 | found = NULL; | ||
108 | + auth_start_parse_options(); | ||
109 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | ||
110 | char *cp, *key_options = NULL, *fp = NULL; | ||
111 | const char *reason = NULL; | ||
112 | @@ -911,6 +913,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) | ||
113 | if (key_cert_check_authority(key, 0, 1, | ||
114 | use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) | ||
115 | goto fail_reason; | ||
116 | + auth_start_parse_options(); | ||
117 | if (auth_cert_options(key, pw, &reason) != 0) | ||
118 | goto fail_reason; | ||
119 | |||