1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
From bede2f8c8a352b57ae5188fe6d3e45c5a57892eb Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:02 +0000
Subject: Quieten logs when multiple from= restrictions are used
Bug-Debian: http://bugs.debian.org/630606
Forwarded: no
Last-Update: 2013-09-14
Patch-Name: auth-log-verbosity.patch
---
auth-options.c | 35 ++++++++++++++++++++++++++---------
auth-options.h | 1 +
auth-rsa.c | 2 ++
auth2-pubkey.c | 3 +++
4 files changed, 32 insertions(+), 9 deletions(-)
diff --git a/auth-options.c b/auth-options.c
index e387697..f1e3ddf 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -58,9 +58,20 @@ int forced_tun_device = -1;
/* "principals=" option. */
char *authorized_principals = NULL;
+/* Throttle log messages. */
+int logged_from_hostip = 0;
+int logged_cert_hostip = 0;
+
extern ServerOptions options;
void
+auth_start_parse_options(void)
+{
+ logged_from_hostip = 0;
+ logged_cert_hostip = 0;
+}
+
+void
auth_clear_options(void)
{
no_agent_forwarding_flag = 0;
@@ -293,10 +304,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
/* FALLTHROUGH */
case 0:
free(patterns);
- logit("Authentication tried for %.100s with "
- "correct key but not from a permitted "
- "host (host=%.200s, ip=%.200s).",
- pw->pw_name, remote_host, remote_ip);
+ if (!logged_from_hostip) {
+ logit("Authentication tried for %.100s with "
+ "correct key but not from a permitted "
+ "host (host=%.200s, ip=%.200s).",
+ pw->pw_name, remote_host, remote_ip);
+ logged_from_hostip = 1;
+ }
auth_debug_add("Your host '%.200s' is not "
"permitted to use this key for login.",
remote_host);
@@ -519,11 +533,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
break;
case 0:
/* no match */
- logit("Authentication tried for %.100s "
- "with valid certificate but not "
- "from a permitted host "
- "(ip=%.200s).", pw->pw_name,
- remote_ip);
+ if (!logged_cert_hostip) {
+ logit("Authentication tried for %.100s "
+ "with valid certificate but not "
+ "from a permitted host "
+ "(ip=%.200s).", pw->pw_name,
+ remote_ip);
+ logged_cert_hostip = 1;
+ }
auth_debug_add("Your address '%.200s' "
"is not permitted to use this "
"certificate for login.",
diff --git a/auth-options.h b/auth-options.h
index 34852e5..1653855 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -33,6 +33,7 @@ extern int forced_tun_device;
extern int key_is_cert_authority;
extern char *authorized_principals;
+void auth_start_parse_options(void);
int auth_parse_options(struct passwd *, char *, char *, u_long);
void auth_clear_options(void);
int auth_cert_options(struct sshkey *, struct passwd *);
diff --git a/auth-rsa.c b/auth-rsa.c
index cbd971b..4cf2163 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -181,6 +181,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
return 0;
+ auth_start_parse_options();
+
/*
* Go though the accepted keys, looking for the current key. If
* found, perform a challenge-response dialog to verify that the
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 5aa319c..1eee161 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -561,6 +561,7 @@ process_principals(FILE *f, char *file, struct passwd *pw,
u_long linenum = 0;
u_int i;
+ auth_start_parse_options();
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
/* Skip leading whitespace. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@@ -726,6 +727,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
found_key = 0;
found = NULL;
+ auth_start_parse_options();
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
char *cp, *key_options = NULL;
if (found != NULL)
@@ -872,6 +874,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
if (key_cert_check_authority(key, 0, 1,
use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
goto fail_reason;
+ auth_start_parse_options();
if (auth_cert_options(key, pw) != 0)
goto out;
|