3 files changed, 127 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 8d48ee108..3fd5cf016 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
 openssh (1:5.8p1-6) UNRELEASED; urgency=low
  * openssh-client and openssh-server Suggests: monkeysphere.
+  * Quieten logs when multiple from= restrictions are used in different
+    authorized_keys lines for the same key; it's still not ideal, but at
+    least you'll only get one log entry per key (closes: #630606).
 -- Colin Watson <cjwatson@debian.org>  Thu, 28 Jul 2011 11:57:27 +0100
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
new file mode 100644
index 000000000..7aea6690d
--- /dev/null
+++ b/debian/patches/auth-log-verbosity.patch
@@ -0,0 +1,123 @@
+Description: Quieten logs when multiple from= restrictions are used
+Author: Colin Watson <cjwatson@debian.org>
+Bug-Debian: http://bugs.debian.org/630606
+Forwarded: no
+Last-Update: 2011-07-28
+Index: b/auth-options.c
+===================================================================
+--- a/auth-options.c
+++ b/auth-options.c
+@@ -58,9 +58,20 @@
+ /* "principals=" option. */
+ char *authorized_principals = NULL;
+ 
+/* Throttle log messages. */
+int logged_from_hostip = 0;
+int logged_cert_hostip = 0;
+
+ extern ServerOptions options;
+ 
+ void
+auth_start_parse_options(void)
+{
+       logged_from_hostip = 0;
+       logged_cert_hostip = 0;
+}
+
+void
+ auth_clear_options(void)
+ {
+        no_agent_forwarding_flag = 0;
+@@ -288,10 +299,13 @@
+                                /* FALLTHROUGH */
+                        case 0:
+                                xfree(patterns);
+-                               logit("Authentication tried for %.100s with "
+-                                   "correct key but not from a permitted "
+-                                   "host (host=%.200s, ip=%.200s).",
+-                                   pw->pw_name, remote_host, remote_ip);
+                               if (!logged_from_hostip) {
+                                       logit("Authentication tried for %.100s with "
+                                           "correct key but not from a permitted "
+                                           "host (host=%.200s, ip=%.200s).",
+                                           pw->pw_name, remote_host, remote_ip);
+                                       logged_from_hostip = 1;
+                               }
+                                auth_debug_add("Your host '%.200s' is not "
+                                    "permitted to use this key for login.",
+                                    remote_host);
+@@ -526,11 +540,14 @@
+                                        break;
+                                case 0:
+                                        /* no match */
+-                                       logit("Authentication tried for %.100s "
+-                                           "with valid certificate but not "
+-                                           "from a permitted host "
+-                                           "(ip=%.200s).", pw->pw_name,
+-                                           remote_ip);
+                                       if (!logged_cert_hostip) {
+                                               logit("Authentication tried for %.100s "
+                                                   "with valid certificate but not "
+                                                   "from a permitted host "
+                                                   "(ip=%.200s).", pw->pw_name,
+                                                   remote_ip);
+                                               logged_cert_hostip = 1;
+                                       }
+                                        auth_debug_add("Your address '%.200s' "
+                                            "is not permitted to use this "
+                                            "certificate for login.",
+Index: b/auth-options.h
+===================================================================
+--- a/auth-options.h
+++ b/auth-options.h
+@@ -33,6 +33,7 @@
+ extern int key_is_cert_authority;
+ extern char *authorized_principals;
+ 
+void   auth_start_parse_options(void);
+ int    auth_parse_options(struct passwd *, char *, char *, u_long);
+ void   auth_clear_options(void);
+ int    auth_cert_options(Key *, struct passwd *);
+Index: b/auth-rsa.c
+===================================================================
+--- a/auth-rsa.c
+++ b/auth-rsa.c
+@@ -193,6 +193,8 @@
+ 
+        key = key_new(KEY_RSA1);
+ 
+       auth_start_parse_options();
+
+        /*
+         * Go though the accepted keys, looking for the current key.  If
+         * found, perform a challenge-response dialog to verify that the
+Index: b/auth2-pubkey.c
+===================================================================
+--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
+@@ -211,6 +211,7 @@
+                restore_uid();
+                return 0;
+        }
+       auth_start_parse_options();
+        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
+                /* Skip leading whitespace. */
+                for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
+@@ -280,6 +281,8 @@
+        found_key = 0;
+        found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
+ 
+       auth_start_parse_options();
+
+        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
+                char *cp, *key_options = NULL;
+ 
+@@ -416,6 +419,7 @@
+        if (key_cert_check_authority(key, 0, 1,
+            principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
+                goto fail_reason;
+       auth_start_parse_options();
+        if (auth_cert_options(key, pw) != 0)
+                goto out;
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 01ef70076..3450e4c55 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -40,6 +40,7 @@ doc-hash-tab-completion.patch
 selinux-build-failure.patch
 ssh-add-fifo.patch
 hostbased-ecdsa.patch
+auth-log-verbosity.patch
 # Debian-specific configuration
 gnome-ssh-askpass2-icon.patch

diff --git a/debian/changelog b/debian/changelog index 8d48ee108..3fd5cf016 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -1,6 +1,9 @@
1	openssh (1:5.8p1-6) UNRELEASED; urgency=low	1	openssh (1:5.8p1-6) UNRELEASED; urgency=low
2		2
3	* openssh-client and openssh-server Suggests: monkeysphere.	3	* openssh-client and openssh-server Suggests: monkeysphere.
		4	* Quieten logs when multiple from= restrictions are used in different
		5	authorized_keys lines for the same key; it's still not ideal, but at
		6	least you'll only get one log entry per key (closes: #630606).
4		7
5	-- Colin Watson <cjwatson@debian.org> Thu, 28 Jul 2011 11:57:27 +0100	8	-- Colin Watson <cjwatson@debian.org> Thu, 28 Jul 2011 11:57:27 +0100
6		9


diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch new file mode 100644 index 000000000..7aea6690d --- /dev/null +++ b/debian/patches/auth-log-verbosity.patch
@@ -0,0 +1,123 @@
		1	Description: Quieten logs when multiple from= restrictions are used
		2	Author: Colin Watson <cjwatson@debian.org>
		3	Bug-Debian: http://bugs.debian.org/630606
		4	Forwarded: no
		5	Last-Update: 2011-07-28
		6
		7	Index: b/auth-options.c
		8	===================================================================
		9	--- a/auth-options.c
		10	+++ b/auth-options.c
		11	@@ -58,9 +58,20 @@
		12	/* "principals=" option. */
		13	char *authorized_principals = NULL;
		14
		15	+/* Throttle log messages. */
		16	+int logged_from_hostip = 0;
		17	+int logged_cert_hostip = 0;
		18	+
		19	extern ServerOptions options;
		20
		21	void
		22	+auth_start_parse_options(void)
		23	+{
		24	+ logged_from_hostip = 0;
		25	+ logged_cert_hostip = 0;
		26	+}
		27	+
		28	+void
		29	auth_clear_options(void)
		30	{
		31	no_agent_forwarding_flag = 0;
		32	@@ -288,10 +299,13 @@
		33	/* FALLTHROUGH */
		34	case 0:
		35	xfree(patterns);
		36	- logit("Authentication tried for %.100s with "
		37	- "correct key but not from a permitted "
		38	- "host (host=%.200s, ip=%.200s).",
		39	- pw->pw_name, remote_host, remote_ip);
		40	+ if (!logged_from_hostip) {
		41	+ logit("Authentication tried for %.100s with "
		42	+ "correct key but not from a permitted "
		43	+ "host (host=%.200s, ip=%.200s).",
		44	+ pw->pw_name, remote_host, remote_ip);
		45	+ logged_from_hostip = 1;
		46	+ }
		47	auth_debug_add("Your host '%.200s' is not "
		48	"permitted to use this key for login.",
		49	remote_host);
		50	@@ -526,11 +540,14 @@
		51	break;
		52	case 0:
		53	/* no match */
		54	- logit("Authentication tried for %.100s "
		55	- "with valid certificate but not "
		56	- "from a permitted host "
		57	- "(ip=%.200s).", pw->pw_name,
		58	- remote_ip);
		59	+ if (!logged_cert_hostip) {
		60	+ logit("Authentication tried for %.100s "
		61	+ "with valid certificate but not "
		62	+ "from a permitted host "
		63	+ "(ip=%.200s).", pw->pw_name,
		64	+ remote_ip);
		65	+ logged_cert_hostip = 1;
		66	+ }
		67	auth_debug_add("Your address '%.200s' "
		68	"is not permitted to use this "
		69	"certificate for login.",
		70	Index: b/auth-options.h
		71	===================================================================
		72	--- a/auth-options.h
		73	+++ b/auth-options.h
		74	@@ -33,6 +33,7 @@
		75	extern int key_is_cert_authority;
		76	extern char *authorized_principals;
		77
		78	+void auth_start_parse_options(void);
		79	int auth_parse_options(struct passwd , char , char *, u_long);
		80	void auth_clear_options(void);
		81	int auth_cert_options(Key , struct passwd );
		82	Index: b/auth-rsa.c
		83	===================================================================
		84	--- a/auth-rsa.c
		85	+++ b/auth-rsa.c
		86	@@ -193,6 +193,8 @@
		87
		88	key = key_new(KEY_RSA1);
		89
		90	+ auth_start_parse_options();
		91	+
		92	/*
		93	* Go though the accepted keys, looking for the current key. If
		94	* found, perform a challenge-response dialog to verify that the
		95	Index: b/auth2-pubkey.c
		96	===================================================================
		97	--- a/auth2-pubkey.c
		98	+++ b/auth2-pubkey.c
		99	@@ -211,6 +211,7 @@
		100	restore_uid();
		101	return 0;
		102	}
		103	+ auth_start_parse_options();
		104	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
		105	/* Skip leading whitespace. */
		106	for (cp = line; cp == ' ' \|\| cp == '\t'; cp++)
		107	@@ -280,6 +281,8 @@
		108	found_key = 0;
		109	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
		110
		111	+ auth_start_parse_options();
		112	+
		113	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
		114	char cp, key_options = NULL;
		115
		116	@@ -416,6 +419,7 @@
		117	if (key_cert_check_authority(key, 0, 1,
		118	principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
		119	goto fail_reason;
		120	+ auth_start_parse_options();
		121	if (auth_cert_options(key, pw) != 0)
		122	goto out;
		123


diff --git a/debian/patches/series b/debian/patches/series index 01ef70076..3450e4c55 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -40,6 +40,7 @@ doc-hash-tab-completion.patch
40	selinux-build-failure.patch	40	selinux-build-failure.patch
41	ssh-add-fifo.patch	41	ssh-add-fifo.patch
42	hostbased-ecdsa.patch	42	hostbased-ecdsa.patch
		43	auth-log-verbosity.patch
43		44
44	# Debian-specific configuration	45	# Debian-specific configuration
45	gnome-ssh-askpass2-icon.patch	46	gnome-ssh-askpass2-icon.patch