From 50e9edb57b6808cbbf63fe3433febb103baac1e8 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:02 +0000 Subject: Quieten logs when multiple from= restrictions are used Bug-Debian: http://bugs.debian.org/630606 Forwarded: no Last-Update: 2017-10-04 Patch-Name: auth-log-verbosity.patch --- auth-options.c | 35 ++++++++++++++++++++++++++--------- auth-options.h | 1 + auth2-pubkey.c | 3 +++ 3 files changed, 30 insertions(+), 9 deletions(-) diff --git a/auth-options.c b/auth-options.c index bed00eef..ccdd0b20 100644 --- a/auth-options.c +++ b/auth-options.c @@ -59,10 +59,21 @@ int forced_tun_device = -1; /* "principals=" option. */ char *authorized_principals = NULL; +/* Throttle log messages. */ +int logged_from_hostip = 0; +int logged_cert_hostip = 0; + extern ServerOptions options; /* XXX refactor to be stateless */ +void +auth_start_parse_options(void) +{ + logged_from_hostip = 0; + logged_cert_hostip = 0; +} + void auth_clear_options(void) { @@ -322,10 +333,13 @@ auth_parse_options(struct passwd *pw, char *opts, const char *file, /* FALLTHROUGH */ case 0: free(patterns); - logit("Authentication tried for %.100s with " - "correct key but not from a permitted " - "host (host=%.200s, ip=%.200s).", - pw->pw_name, remote_host, remote_ip); + if (!logged_from_hostip) { + logit("Authentication tried for %.100s with " + "correct key but not from a permitted " + "host (host=%.200s, ip=%.200s).", + pw->pw_name, remote_host, remote_ip); + logged_from_hostip = 1; + } auth_debug_add("Your host '%.200s' is not " "permitted to use this key for login.", remote_host); @@ -549,11 +563,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, break; case 0: /* no match */ - logit("Authentication tried for %.100s " - "with valid certificate but not " - "from a permitted host " - "(ip=%.200s).", pw->pw_name, - remote_ip); + if (!logged_cert_hostip) { + logit("Authentication tried for %.100s " + "with valid certificate but not " + "from a permitted host " + "(ip=%.200s).", pw->pw_name, + remote_ip); + logged_cert_hostip = 1; + } auth_debug_add("Your address '%.200s' " "is not permitted to use this " "certificate for login.", diff --git a/auth-options.h b/auth-options.h index 547f0163..4de0f14d 100644 --- a/auth-options.h +++ b/auth-options.h @@ -33,6 +33,7 @@ extern int forced_tun_device; extern int key_is_cert_authority; extern char *authorized_principals; +void auth_start_parse_options(void); int auth_parse_options(struct passwd *, char *, const char *, u_long); void auth_clear_options(void); int auth_cert_options(struct sshkey *, struct passwd *, const char **); diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 169839b0..43f880b6 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -269,6 +269,7 @@ process_principals(FILE *f, const char *file, struct passwd *pw, u_long linenum = 0; u_int i, found_principal = 0; + auth_start_parse_options(); while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { /* Always consume entire input */ if (found_principal) @@ -471,6 +472,7 @@ check_authkeys_file(FILE *f, char *file, struct sshkey *key, struct passwd *pw) u_long linenum = 0; struct sshkey *found = NULL; + auth_start_parse_options(); while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { char *cp, *key_options = NULL, *fp = NULL; const char *reason = NULL; @@ -624,6 +626,7 @@ user_cert_trusted_ca(struct passwd *pw, struct sshkey *key) if (sshkey_cert_check_authority(key, 0, 1, use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) goto fail_reason; + auth_start_parse_options(); if (auth_cert_options(key, pw, &reason) != 0) goto fail_reason;