1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
From 50e9edb57b6808cbbf63fe3433febb103baac1e8 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:02 +0000
Subject: Quieten logs when multiple from= restrictions are used
Bug-Debian: http://bugs.debian.org/630606
Forwarded: no
Last-Update: 2017-10-04
Patch-Name: auth-log-verbosity.patch
---
auth-options.c | 35 ++++++++++++++++++++++++++---------
auth-options.h | 1 +
auth2-pubkey.c | 3 +++
3 files changed, 30 insertions(+), 9 deletions(-)
diff --git a/auth-options.c b/auth-options.c
index bed00eef..ccdd0b20 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -59,10 +59,21 @@ int forced_tun_device = -1;
/* "principals=" option. */
char *authorized_principals = NULL;
+/* Throttle log messages. */
+int logged_from_hostip = 0;
+int logged_cert_hostip = 0;
+
extern ServerOptions options;
/* XXX refactor to be stateless */
+void
+auth_start_parse_options(void)
+{
+ logged_from_hostip = 0;
+ logged_cert_hostip = 0;
+}
+
void
auth_clear_options(void)
{
@@ -322,10 +333,13 @@ auth_parse_options(struct passwd *pw, char *opts, const char *file,
/* FALLTHROUGH */
case 0:
free(patterns);
- logit("Authentication tried for %.100s with "
- "correct key but not from a permitted "
- "host (host=%.200s, ip=%.200s).",
- pw->pw_name, remote_host, remote_ip);
+ if (!logged_from_hostip) {
+ logit("Authentication tried for %.100s with "
+ "correct key but not from a permitted "
+ "host (host=%.200s, ip=%.200s).",
+ pw->pw_name, remote_host, remote_ip);
+ logged_from_hostip = 1;
+ }
auth_debug_add("Your host '%.200s' is not "
"permitted to use this key for login.",
remote_host);
@@ -549,11 +563,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
break;
case 0:
/* no match */
- logit("Authentication tried for %.100s "
- "with valid certificate but not "
- "from a permitted host "
- "(ip=%.200s).", pw->pw_name,
- remote_ip);
+ if (!logged_cert_hostip) {
+ logit("Authentication tried for %.100s "
+ "with valid certificate but not "
+ "from a permitted host "
+ "(ip=%.200s).", pw->pw_name,
+ remote_ip);
+ logged_cert_hostip = 1;
+ }
auth_debug_add("Your address '%.200s' "
"is not permitted to use this "
"certificate for login.",
diff --git a/auth-options.h b/auth-options.h
index 547f0163..4de0f14d 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -33,6 +33,7 @@ extern int forced_tun_device;
extern int key_is_cert_authority;
extern char *authorized_principals;
+void auth_start_parse_options(void);
int auth_parse_options(struct passwd *, char *, const char *, u_long);
void auth_clear_options(void);
int auth_cert_options(struct sshkey *, struct passwd *, const char **);
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 169839b0..43f880b6 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -269,6 +269,7 @@ process_principals(FILE *f, const char *file, struct passwd *pw,
u_long linenum = 0;
u_int i, found_principal = 0;
+ auth_start_parse_options();
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
/* Always consume entire input */
if (found_principal)
@@ -471,6 +472,7 @@ check_authkeys_file(FILE *f, char *file, struct sshkey *key, struct passwd *pw)
u_long linenum = 0;
struct sshkey *found = NULL;
+ auth_start_parse_options();
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
char *cp, *key_options = NULL, *fp = NULL;
const char *reason = NULL;
@@ -624,6 +626,7 @@ user_cert_trusted_ca(struct passwd *pw, struct sshkey *key)
if (sshkey_cert_check_authority(key, 0, 1,
use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
goto fail_reason;
+ auth_start_parse_options();
if (auth_cert_options(key, pw, &reason) != 0)
goto fail_reason;
|
