Description: Quieten logs when multiple from= restrictions are used Author: Colin Watson Bug-Debian: http://bugs.debian.org/630606 Forwarded: no Last-Update: 2013-05-07 Index: b/auth-options.c =================================================================== --- a/auth-options.c +++ b/auth-options.c @@ -58,9 +58,20 @@ /* "principals=" option. */ char *authorized_principals = NULL; +/* Throttle log messages. */ +int logged_from_hostip = 0; +int logged_cert_hostip = 0; + extern ServerOptions options; void +auth_start_parse_options(void) +{ + logged_from_hostip = 0; + logged_cert_hostip = 0; +} + +void auth_clear_options(void) { no_agent_forwarding_flag = 0; @@ -288,10 +299,13 @@ /* FALLTHROUGH */ case 0: xfree(patterns); - logit("Authentication tried for %.100s with " - "correct key but not from a permitted " - "host (host=%.200s, ip=%.200s).", - pw->pw_name, remote_host, remote_ip); + if (!logged_from_hostip) { + logit("Authentication tried for %.100s with " + "correct key but not from a permitted " + "host (host=%.200s, ip=%.200s).", + pw->pw_name, remote_host, remote_ip); + logged_from_hostip = 1; + } auth_debug_add("Your host '%.200s' is not " "permitted to use this key for login.", remote_host); @@ -512,11 +526,14 @@ break; case 0: /* no match */ - logit("Authentication tried for %.100s " - "with valid certificate but not " - "from a permitted host " - "(ip=%.200s).", pw->pw_name, - remote_ip); + if (!logged_cert_hostip) { + logit("Authentication tried for %.100s " + "with valid certificate but not " + "from a permitted host " + "(ip=%.200s).", pw->pw_name, + remote_ip); + logged_cert_hostip = 1; + } auth_debug_add("Your address '%.200s' " "is not permitted to use this " "certificate for login.", Index: b/auth-options.h =================================================================== --- a/auth-options.h +++ b/auth-options.h @@ -33,6 +33,7 @@ extern int key_is_cert_authority; extern char *authorized_principals; +void auth_start_parse_options(void); int auth_parse_options(struct passwd *, char *, char *, u_long); void auth_clear_options(void); int auth_cert_options(Key *, struct passwd *); Index: b/auth-rsa.c =================================================================== --- a/auth-rsa.c +++ b/auth-rsa.c @@ -175,6 +175,8 @@ if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) return 0; + auth_start_parse_options(); + /* * Go though the accepted keys, looking for the current key. If * found, perform a challenge-response dialog to verify that the Index: b/auth2-pubkey.c =================================================================== --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -217,6 +217,7 @@ restore_uid(); return 0; } + auth_start_parse_options(); while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { /* Skip leading whitespace. */ for (cp = line; *cp == ' ' || *cp == '\t'; cp++) @@ -278,6 +279,8 @@ found_key = 0; found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); + auth_start_parse_options(); + while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { char *cp, *key_options = NULL; @@ -412,6 +415,7 @@ if (key_cert_check_authority(key, 0, 1, principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) goto fail_reason; + auth_start_parse_options(); if (auth_cert_options(key, pw) != 0) goto out;