From 7a15b74572af22c2642ce0b125a90f35a92a10b4 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Thu, 28 Jul 2011 14:32:20 +0100
Subject: Quieten logs when multiple from= restrictions are used in different
 authorized_keys lines for the same key; it's still not ideal, but at least
 you'll only get one log entry per key (closes: #630606).

---
 auth-options.c                          |  35 ++++++---
 auth-options.h                          |   1 +
 auth-rsa.c                              |   2 +
 auth2-pubkey.c                          |   4 ++
 debian/changelog                        |   3 +
 debian/patches/auth-log-verbosity.patch | 123 ++++++++++++++++++++++++++++++++
 debian/patches/series                   |   1 +
 7 files changed, 160 insertions(+), 9 deletions(-)
 create mode 100644 debian/patches/auth-log-verbosity.patch

diff --git a/auth-options.c b/auth-options.c
index eae45cf2b..8d1ef0a18 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -58,8 +58,19 @@ int forced_tun_device = -1;
 /* "principals=" option. */
 char *authorized_principals = NULL;
 
+/* Throttle log messages. */
+int logged_from_hostip = 0;
+int logged_cert_hostip = 0;
+
 extern ServerOptions options;
 
+void
+auth_start_parse_options(void)
+{
+	logged_from_hostip = 0;
+	logged_cert_hostip = 0;
+}
+
 void
 auth_clear_options(void)
 {
@@ -288,10 +299,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 				/* FALLTHROUGH */
 			case 0:
 				xfree(patterns);
-				logit("Authentication tried for %.100s with "
-				    "correct key but not from a permitted "
-				    "host (host=%.200s, ip=%.200s).",
-				    pw->pw_name, remote_host, remote_ip);
+				if (!logged_from_hostip) {
+					logit("Authentication tried for %.100s with "
+					    "correct key but not from a permitted "
+					    "host (host=%.200s, ip=%.200s).",
+					    pw->pw_name, remote_host, remote_ip);
+					logged_from_hostip = 1;
+				}
 				auth_debug_add("Your host '%.200s' is not "
 				    "permitted to use this key for login.",
 				    remote_host);
@@ -526,11 +540,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
 					break;
 				case 0:
 					/* no match */
-					logit("Authentication tried for %.100s "
-					    "with valid certificate but not "
-					    "from a permitted host "
-					    "(ip=%.200s).", pw->pw_name,
-					    remote_ip);
+					if (!logged_cert_hostip) {
+						logit("Authentication tried for %.100s "
+						    "with valid certificate but not "
+						    "from a permitted host "
+						    "(ip=%.200s).", pw->pw_name,
+						    remote_ip);
+						logged_cert_hostip = 1;
+					}
 					auth_debug_add("Your address '%.200s' "
 					    "is not permitted to use this "
 					    "certificate for login.",
diff --git a/auth-options.h b/auth-options.h
index 7455c9454..a3f0a02da 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -33,6 +33,7 @@ extern int forced_tun_device;
 extern int key_is_cert_authority;
 extern char *authorized_principals;
 
+void	auth_start_parse_options(void);
 int	auth_parse_options(struct passwd *, char *, char *, u_long);
 void	auth_clear_options(void);
 int	auth_cert_options(Key *, struct passwd *);
diff --git a/auth-rsa.c b/auth-rsa.c
index 323e875b8..ec32c803f 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -193,6 +193,8 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
 
 	key = key_new(KEY_RSA1);
 
+	auth_start_parse_options();
+
 	/*
 	 * Go though the accepted keys, looking for the current key.  If
 	 * found, perform a challenge-response dialog to verify that the
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 62a553612..dbf0d0d22 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -211,6 +211,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
 		restore_uid();
 		return 0;
 	}
+	auth_start_parse_options();
 	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
 		/* Skip leading whitespace. */
 		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@@ -280,6 +281,8 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
 	found_key = 0;
 	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
 
+	auth_start_parse_options();
+
 	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
 		char *cp, *key_options = NULL;
 
@@ -416,6 +419,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
 	if (key_cert_check_authority(key, 0, 1,
 	    principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
 		goto fail_reason;
+	auth_start_parse_options();
 	if (auth_cert_options(key, pw) != 0)
 		goto out;
 
diff --git a/debian/changelog b/debian/changelog
index 8d48ee108..3fd5cf016 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
 openssh (1:5.8p1-6) UNRELEASED; urgency=low
 
   * openssh-client and openssh-server Suggests: monkeysphere.
+  * Quieten logs when multiple from= restrictions are used in different
+    authorized_keys lines for the same key; it's still not ideal, but at
+    least you'll only get one log entry per key (closes: #630606).
 
  -- Colin Watson <cjwatson@debian.org>  Thu, 28 Jul 2011 11:57:27 +0100
 
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
new file mode 100644
index 000000000..7aea6690d
--- /dev/null
+++ b/debian/patches/auth-log-verbosity.patch
@@ -0,0 +1,123 @@
+Description: Quieten logs when multiple from= restrictions are used
+Author: Colin Watson <cjwatson@debian.org>
+Bug-Debian: http://bugs.debian.org/630606
+Forwarded: no
+Last-Update: 2011-07-28
+
+Index: b/auth-options.c
+===================================================================
+--- a/auth-options.c
++++ b/auth-options.c
+@@ -58,9 +58,20 @@
+ /* "principals=" option. */
+ char *authorized_principals = NULL;
+ 
++/* Throttle log messages. */
++int logged_from_hostip = 0;
++int logged_cert_hostip = 0;
++
+ extern ServerOptions options;
+ 
+ void
++auth_start_parse_options(void)
++{
++	logged_from_hostip = 0;
++	logged_cert_hostip = 0;
++}
++
++void
+ auth_clear_options(void)
+ {
+ 	no_agent_forwarding_flag = 0;
+@@ -288,10 +299,13 @@
+ 				/* FALLTHROUGH */
+ 			case 0:
+ 				xfree(patterns);
+-				logit("Authentication tried for %.100s with "
+-				    "correct key but not from a permitted "
+-				    "host (host=%.200s, ip=%.200s).",
+-				    pw->pw_name, remote_host, remote_ip);
++				if (!logged_from_hostip) {
++					logit("Authentication tried for %.100s with "
++					    "correct key but not from a permitted "
++					    "host (host=%.200s, ip=%.200s).",
++					    pw->pw_name, remote_host, remote_ip);
++					logged_from_hostip = 1;
++				}
+ 				auth_debug_add("Your host '%.200s' is not "
+ 				    "permitted to use this key for login.",
+ 				    remote_host);
+@@ -526,11 +540,14 @@
+ 					break;
+ 				case 0:
+ 					/* no match */
+-					logit("Authentication tried for %.100s "
+-					    "with valid certificate but not "
+-					    "from a permitted host "
+-					    "(ip=%.200s).", pw->pw_name,
+-					    remote_ip);
++					if (!logged_cert_hostip) {
++						logit("Authentication tried for %.100s "
++						    "with valid certificate but not "
++						    "from a permitted host "
++						    "(ip=%.200s).", pw->pw_name,
++						    remote_ip);
++						logged_cert_hostip = 1;
++					}
+ 					auth_debug_add("Your address '%.200s' "
+ 					    "is not permitted to use this "
+ 					    "certificate for login.",
+Index: b/auth-options.h
+===================================================================
+--- a/auth-options.h
++++ b/auth-options.h
+@@ -33,6 +33,7 @@
+ extern int key_is_cert_authority;
+ extern char *authorized_principals;
+ 
++void	auth_start_parse_options(void);
+ int	auth_parse_options(struct passwd *, char *, char *, u_long);
+ void	auth_clear_options(void);
+ int	auth_cert_options(Key *, struct passwd *);
+Index: b/auth-rsa.c
+===================================================================
+--- a/auth-rsa.c
++++ b/auth-rsa.c
+@@ -193,6 +193,8 @@
+ 
+ 	key = key_new(KEY_RSA1);
+ 
++	auth_start_parse_options();
++
+ 	/*
+ 	 * Go though the accepted keys, looking for the current key.  If
+ 	 * found, perform a challenge-response dialog to verify that the
+Index: b/auth2-pubkey.c
+===================================================================
+--- a/auth2-pubkey.c
++++ b/auth2-pubkey.c
+@@ -211,6 +211,7 @@
+ 		restore_uid();
+ 		return 0;
+ 	}
++	auth_start_parse_options();
+ 	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
+ 		/* Skip leading whitespace. */
+ 		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
+@@ -280,6 +281,8 @@
+ 	found_key = 0;
+ 	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
+ 
++	auth_start_parse_options();
++
+ 	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
+ 		char *cp, *key_options = NULL;
+ 
+@@ -416,6 +419,7 @@
+ 	if (key_cert_check_authority(key, 0, 1,
+ 	    principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
+ 		goto fail_reason;
++	auth_start_parse_options();
+ 	if (auth_cert_options(key, pw) != 0)
+ 		goto out;
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 01ef70076..3450e4c55 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -40,6 +40,7 @@ doc-hash-tab-completion.patch
 selinux-build-failure.patch
 ssh-add-fifo.patch
 hostbased-ecdsa.patch
+auth-log-verbosity.patch
 
 # Debian-specific configuration
 gnome-ssh-askpass2-icon.patch
-- 
cgit v1.2.3