From 95767262caa6692eff1e1565be1f5cb297949a89 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 7 Mar 2016 19:02:43 +0000 Subject: upstream commit refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c feedback and ok markus@ Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e --- auth-options.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'auth-options.c') diff --git a/auth-options.c b/auth-options.c index edbaf80bb..b399b91e3 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.70 2015/12/10 17:08:40 mmcc Exp $ */ +/* $OpenBSD: auth-options.c,v 1.71 2016/03/07 19:02:43 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -29,6 +29,7 @@ #include "ssherr.h" #include "log.h" #include "canohost.h" +#include "packet.h" #include "sshbuf.h" #include "misc.h" #include "channels.h" @@ -120,6 +121,7 @@ match_flag(const char *opt, int allow_negate, char **optsp, const char *msg) int auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) { + struct ssh *ssh = active_state; /* XXX */ const char *cp; int i, r; @@ -273,9 +275,9 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) } cp = "from=\""; if (strncasecmp(opts, cp, strlen(cp)) == 0) { - const char *remote_ip = get_remote_ipaddr(); - const char *remote_host = get_canonical_hostname( - options.use_dns); + const char *remote_ip = ssh_remote_ipaddr(ssh); + const char *remote_host = auth_get_canonical_hostname( + ssh, options.use_dns); char *patterns = xmalloc(strlen(opts) + 1); opts += strlen(cp); @@ -457,6 +459,7 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, char **cert_forced_command, int *cert_source_address_done) { + struct ssh *ssh = active_state; /* XXX */ char *command, *allowed; const char *remote_ip; char *name = NULL; @@ -530,7 +533,7 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, free(allowed); goto out; } - remote_ip = get_remote_ipaddr(); + remote_ip = ssh_remote_ipaddr(ssh); result = addr_match_cidr_list(remote_ip, allowed); free(allowed); -- cgit v1.2.3 From b4b79ae5a16f73426b54c6394a29b2b49da4dc16 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:02 +0000 Subject: Quieten logs when multiple from= restrictions are used Bug-Debian: http://bugs.debian.org/630606 Forwarded: no Last-Update: 2013-09-14 Patch-Name: auth-log-verbosity.patch --- auth-options.c | 35 ++++++++++++++++++++++++++--------- auth-options.h | 1 + auth-rsa.c | 2 ++ auth2-pubkey.c | 3 +++ 4 files changed, 32 insertions(+), 9 deletions(-) (limited to 'auth-options.c') diff --git a/auth-options.c b/auth-options.c index b399b91e3..a9d9a81cb 100644 --- a/auth-options.c +++ b/auth-options.c @@ -59,8 +59,19 @@ int forced_tun_device = -1; /* "principals=" option. */ char *authorized_principals = NULL; +/* Throttle log messages. */ +int logged_from_hostip = 0; +int logged_cert_hostip = 0; + extern ServerOptions options; +void +auth_start_parse_options(void) +{ + logged_from_hostip = 0; + logged_cert_hostip = 0; +} + void auth_clear_options(void) { @@ -316,10 +327,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) /* FALLTHROUGH */ case 0: free(patterns); - logit("Authentication tried for %.100s with " - "correct key but not from a permitted " - "host (host=%.200s, ip=%.200s).", - pw->pw_name, remote_host, remote_ip); + if (!logged_from_hostip) { + logit("Authentication tried for %.100s with " + "correct key but not from a permitted " + "host (host=%.200s, ip=%.200s).", + pw->pw_name, remote_host, remote_ip); + logged_from_hostip = 1; + } auth_debug_add("Your host '%.200s' is not " "permitted to use this key for login.", remote_host); @@ -543,11 +557,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, break; case 0: /* no match */ - logit("Authentication tried for %.100s " - "with valid certificate but not " - "from a permitted host " - "(ip=%.200s).", pw->pw_name, - remote_ip); + if (!logged_cert_hostip) { + logit("Authentication tried for %.100s " + "with valid certificate but not " + "from a permitted host " + "(ip=%.200s).", pw->pw_name, + remote_ip); + logged_cert_hostip = 1; + } auth_debug_add("Your address '%.200s' " "is not permitted to use this " "certificate for login.", diff --git a/auth-options.h b/auth-options.h index 34852e5c0..1653855ee 100644 --- a/auth-options.h +++ b/auth-options.h @@ -33,6 +33,7 @@ extern int forced_tun_device; extern int key_is_cert_authority; extern char *authorized_principals; +void auth_start_parse_options(void); int auth_parse_options(struct passwd *, char *, char *, u_long); void auth_clear_options(void); int auth_cert_options(struct sshkey *, struct passwd *); diff --git a/auth-rsa.c b/auth-rsa.c index cbd971be1..4cf2163c7 100644 --- a/auth-rsa.c +++ b/auth-rsa.c @@ -181,6 +181,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) return 0; + auth_start_parse_options(); + /* * Go though the accepted keys, looking for the current key. If * found, perform a challenge-response dialog to verify that the diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 41b34aed2..aace7ca15 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -566,6 +566,7 @@ process_principals(FILE *f, char *file, struct passwd *pw, u_long linenum = 0; u_int i; + auth_start_parse_options(); while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { /* Skip leading whitespace. */ for (cp = line; *cp == ' ' || *cp == '\t'; cp++) @@ -731,6 +732,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) found_key = 0; found = NULL; + auth_start_parse_options(); while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { char *cp, *key_options = NULL; if (found != NULL) @@ -878,6 +880,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) if (key_cert_check_authority(key, 0, 1, use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) goto fail_reason; + auth_start_parse_options(); if (auth_cert_options(key, pw) != 0) goto out; -- cgit v1.2.3