Commit ec5991d7 authored by Colin Watson's avatar Colin Watson

Quieten logs when multiple from= restrictions are used

Bug-Debian: http://bugs.debian.org/630606
Forwarded: no
Last-Update: 2013-09-14

Patch-Name: auth-log-verbosity.patch
parent 145099bd
......@@ -58,8 +58,19 @@ int forced_tun_device = -1;
/* "principals=" option. */
char *authorized_principals = NULL;
/* Throttle log messages. */
int logged_from_hostip = 0;
int logged_cert_hostip = 0;
extern ServerOptions options;
void
auth_start_parse_options(void)
{
logged_from_hostip = 0;
logged_cert_hostip = 0;
}
void
auth_clear_options(void)
{
......@@ -288,10 +299,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
/* FALLTHROUGH */
case 0:
free(patterns);
logit("Authentication tried for %.100s with "
"correct key but not from a permitted "
"host (host=%.200s, ip=%.200s).",
pw->pw_name, remote_host, remote_ip);
if (!logged_from_hostip) {
logit("Authentication tried for %.100s with "
"correct key but not from a permitted "
"host (host=%.200s, ip=%.200s).",
pw->pw_name, remote_host, remote_ip);
logged_from_hostip = 1;
}
auth_debug_add("Your host '%.200s' is not "
"permitted to use this key for login.",
remote_host);
......@@ -513,11 +527,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
break;
case 0:
/* no match */
logit("Authentication tried for %.100s "
"with valid certificate but not "
"from a permitted host "
"(ip=%.200s).", pw->pw_name,
remote_ip);
if (!logged_cert_hostip) {
logit("Authentication tried for %.100s "
"with valid certificate but not "
"from a permitted host "
"(ip=%.200s).", pw->pw_name,
remote_ip);
logged_cert_hostip = 1;
}
auth_debug_add("Your address '%.200s' "
"is not permitted to use this "
"certificate for login.",
......
......@@ -33,6 +33,7 @@ extern int forced_tun_device;
extern int key_is_cert_authority;
extern char *authorized_principals;
void auth_start_parse_options(void);
int auth_parse_options(struct passwd *, char *, char *, u_long);
void auth_clear_options(void);
int auth_cert_options(Key *, struct passwd *);
......
......@@ -174,6 +174,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
return 0;
auth_start_parse_options();
/*
* Go though the accepted keys, looking for the current key. If
* found, perform a challenge-response dialog to verify that the
......
......@@ -257,6 +257,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
restore_uid();
return 0;
}
auth_start_parse_options();
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
/* Skip leading whitespace. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
......@@ -318,6 +319,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
found_key = 0;
found = NULL;
auth_start_parse_options();
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
char *cp, *key_options = NULL;
if (found != NULL)
......@@ -453,6 +455,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
if (key_cert_check_authority(key, 0, 1,
principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
goto fail_reason;
auth_start_parse_options();
if (auth_cert_options(key, pw) != 0)
goto out;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment