summaryrefslogtreecommitdiff
path: root/debian/patches/auth-log-verbosity.patch
blob: 5d98b81a2b381b17daa7f5d37c0d2c46cff37921 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
From ec5991d73abdc0b3c43ea9f8a0e99da045e7beb1 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:02 +0000
Subject: Quieten logs when multiple from= restrictions are used

Bug-Debian: http://bugs.debian.org/630606
Forwarded: no
Last-Update: 2013-09-14

Patch-Name: auth-log-verbosity.patch
---
 auth-options.c | 35 ++++++++++++++++++++++++++---------
 auth-options.h |  1 +
 auth-rsa.c     |  2 ++
 auth2-pubkey.c |  3 +++
 4 files changed, 32 insertions(+), 9 deletions(-)

diff --git a/auth-options.c b/auth-options.c
index 12e2e1d..15c00d0 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -58,9 +58,20 @@ int forced_tun_device = -1;
 /* "principals=" option. */
 char *authorized_principals = NULL;
 
+/* Throttle log messages. */
+int logged_from_hostip = 0;
+int logged_cert_hostip = 0;
+
 extern ServerOptions options;
 
 void
+auth_start_parse_options(void)
+{
+	logged_from_hostip = 0;
+	logged_cert_hostip = 0;
+}
+
+void
 auth_clear_options(void)
 {
 	no_agent_forwarding_flag = 0;
@@ -288,10 +299,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 				/* FALLTHROUGH */
 			case 0:
 				free(patterns);
-				logit("Authentication tried for %.100s with "
-				    "correct key but not from a permitted "
-				    "host (host=%.200s, ip=%.200s).",
-				    pw->pw_name, remote_host, remote_ip);
+				if (!logged_from_hostip) {
+					logit("Authentication tried for %.100s with "
+					    "correct key but not from a permitted "
+					    "host (host=%.200s, ip=%.200s).",
+					    pw->pw_name, remote_host, remote_ip);
+					logged_from_hostip = 1;
+				}
 				auth_debug_add("Your host '%.200s' is not "
 				    "permitted to use this key for login.",
 				    remote_host);
@@ -513,11 +527,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
 					break;
 				case 0:
 					/* no match */
-					logit("Authentication tried for %.100s "
-					    "with valid certificate but not "
-					    "from a permitted host "
-					    "(ip=%.200s).", pw->pw_name,
-					    remote_ip);
+					if (!logged_cert_hostip) {
+						logit("Authentication tried for %.100s "
+						    "with valid certificate but not "
+						    "from a permitted host "
+						    "(ip=%.200s).", pw->pw_name,
+						    remote_ip);
+						logged_cert_hostip = 1;
+					}
 					auth_debug_add("Your address '%.200s' "
 					    "is not permitted to use this "
 					    "certificate for login.",
diff --git a/auth-options.h b/auth-options.h
index 7455c94..a3f0a02 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -33,6 +33,7 @@ extern int forced_tun_device;
 extern int key_is_cert_authority;
 extern char *authorized_principals;
 
+void	auth_start_parse_options(void);
 int	auth_parse_options(struct passwd *, char *, char *, u_long);
 void	auth_clear_options(void);
 int	auth_cert_options(Key *, struct passwd *);
diff --git a/auth-rsa.c b/auth-rsa.c
index 6ed152c..9b139c9 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -174,6 +174,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
 	if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
 		return 0;
 
+	auth_start_parse_options();
+
 	/*
 	 * Go though the accepted keys, looking for the current key.  If
 	 * found, perform a challenge-response dialog to verify that the
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 12eb8a6..7c0ceee 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -257,6 +257,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
 		restore_uid();
 		return 0;
 	}
+	auth_start_parse_options();
 	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
 		/* Skip leading whitespace. */
 		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@@ -318,6 +319,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
 	found_key = 0;
 
 	found = NULL;
+	auth_start_parse_options();
 	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
 		char *cp, *key_options = NULL;
 		if (found != NULL)
@@ -453,6 +455,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
 	if (key_cert_check_authority(key, 0, 1,
 	    principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
 		goto fail_reason;
+	auth_start_parse_options();
 	if (auth_cert_options(key, pw) != 0)
 		goto out;