summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/changelog3
-rw-r--r--debian/patches/auth-log-verbosity.patch123
-rw-r--r--debian/patches/series1
3 files changed, 127 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 8d48ee108..3fd5cf016 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
1openssh (1:5.8p1-6) UNRELEASED; urgency=low 1openssh (1:5.8p1-6) UNRELEASED; urgency=low
2 2
3 * openssh-client and openssh-server Suggests: monkeysphere. 3 * openssh-client and openssh-server Suggests: monkeysphere.
4 * Quieten logs when multiple from= restrictions are used in different
5 authorized_keys lines for the same key; it's still not ideal, but at
6 least you'll only get one log entry per key (closes: #630606).
4 7
5 -- Colin Watson <cjwatson@debian.org> Thu, 28 Jul 2011 11:57:27 +0100 8 -- Colin Watson <cjwatson@debian.org> Thu, 28 Jul 2011 11:57:27 +0100
6 9
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
new file mode 100644
index 000000000..7aea6690d
--- /dev/null
+++ b/debian/patches/auth-log-verbosity.patch
@@ -0,0 +1,123 @@
1Description: Quieten logs when multiple from= restrictions are used
2Author: Colin Watson <cjwatson@debian.org>
3Bug-Debian: http://bugs.debian.org/630606
4Forwarded: no
5Last-Update: 2011-07-28
6
7Index: b/auth-options.c
8===================================================================
9--- a/auth-options.c
10+++ b/auth-options.c
11@@ -58,9 +58,20 @@
12 /* "principals=" option. */
13 char *authorized_principals = NULL;
14
15+/* Throttle log messages. */
16+int logged_from_hostip = 0;
17+int logged_cert_hostip = 0;
18+
19 extern ServerOptions options;
20
21 void
22+auth_start_parse_options(void)
23+{
24+ logged_from_hostip = 0;
25+ logged_cert_hostip = 0;
26+}
27+
28+void
29 auth_clear_options(void)
30 {
31 no_agent_forwarding_flag = 0;
32@@ -288,10 +299,13 @@
33 /* FALLTHROUGH */
34 case 0:
35 xfree(patterns);
36- logit("Authentication tried for %.100s with "
37- "correct key but not from a permitted "
38- "host (host=%.200s, ip=%.200s).",
39- pw->pw_name, remote_host, remote_ip);
40+ if (!logged_from_hostip) {
41+ logit("Authentication tried for %.100s with "
42+ "correct key but not from a permitted "
43+ "host (host=%.200s, ip=%.200s).",
44+ pw->pw_name, remote_host, remote_ip);
45+ logged_from_hostip = 1;
46+ }
47 auth_debug_add("Your host '%.200s' is not "
48 "permitted to use this key for login.",
49 remote_host);
50@@ -526,11 +540,14 @@
51 break;
52 case 0:
53 /* no match */
54- logit("Authentication tried for %.100s "
55- "with valid certificate but not "
56- "from a permitted host "
57- "(ip=%.200s).", pw->pw_name,
58- remote_ip);
59+ if (!logged_cert_hostip) {
60+ logit("Authentication tried for %.100s "
61+ "with valid certificate but not "
62+ "from a permitted host "
63+ "(ip=%.200s).", pw->pw_name,
64+ remote_ip);
65+ logged_cert_hostip = 1;
66+ }
67 auth_debug_add("Your address '%.200s' "
68 "is not permitted to use this "
69 "certificate for login.",
70Index: b/auth-options.h
71===================================================================
72--- a/auth-options.h
73+++ b/auth-options.h
74@@ -33,6 +33,7 @@
75 extern int key_is_cert_authority;
76 extern char *authorized_principals;
77
78+void auth_start_parse_options(void);
79 int auth_parse_options(struct passwd *, char *, char *, u_long);
80 void auth_clear_options(void);
81 int auth_cert_options(Key *, struct passwd *);
82Index: b/auth-rsa.c
83===================================================================
84--- a/auth-rsa.c
85+++ b/auth-rsa.c
86@@ -193,6 +193,8 @@
87
88 key = key_new(KEY_RSA1);
89
90+ auth_start_parse_options();
91+
92 /*
93 * Go though the accepted keys, looking for the current key. If
94 * found, perform a challenge-response dialog to verify that the
95Index: b/auth2-pubkey.c
96===================================================================
97--- a/auth2-pubkey.c
98+++ b/auth2-pubkey.c
99@@ -211,6 +211,7 @@
100 restore_uid();
101 return 0;
102 }
103+ auth_start_parse_options();
104 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
105 /* Skip leading whitespace. */
106 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
107@@ -280,6 +281,8 @@
108 found_key = 0;
109 found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
110
111+ auth_start_parse_options();
112+
113 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
114 char *cp, *key_options = NULL;
115
116@@ -416,6 +419,7 @@
117 if (key_cert_check_authority(key, 0, 1,
118 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
119 goto fail_reason;
120+ auth_start_parse_options();
121 if (auth_cert_options(key, pw) != 0)
122 goto out;
123
diff --git a/debian/patches/series b/debian/patches/series
index 01ef70076..3450e4c55 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -40,6 +40,7 @@ doc-hash-tab-completion.patch
40selinux-build-failure.patch 40selinux-build-failure.patch
41ssh-add-fifo.patch 41ssh-add-fifo.patch
42hostbased-ecdsa.patch 42hostbased-ecdsa.patch
43auth-log-verbosity.patch
43 44
44# Debian-specific configuration 45# Debian-specific configuration
45gnome-ssh-askpass2-icon.patch 46gnome-ssh-askpass2-icon.patch