Peter Palfrader asked me to fix #630606 in squeeze, as the large amount of log messages is causing problems on some debian.org machines. I've bodged it down to a reasonable level (one of these messages per key); it probably ought to only log if no authorized_keys lines succeed or something like that, but that would have been much harder to do and the patch would have been rather longer.
diff -Nru openssh-5.5p1/debian/changelog openssh-5.5p1/debian/changelog --- openssh-5.5p1/debian/changelog 2010-12-26 18:09:30.000000000 +0000 +++ openssh-5.5p1/debian/changelog 2011-07-28 17:44:13.000000000 +0100 @@ -1,3 +1,11 @@ +openssh (1:5.5p1-6+squeeze1) stable; urgency=low + + * Quieten logs when multiple from= restrictions are used in different + authorized_keys lines for the same key; it's still not ideal, but at + least you'll only get one log entry per key (closes: #630606). + + -- Colin Watson <cjwat...@debian.org> Thu, 28 Jul 2011 16:43:48 +0000 + openssh (1:5.5p1-6) unstable; urgency=low * Touch /var/run/sshd/.placeholder in the preinst so that /var/run/sshd, diff -Nru openssh-5.5p1/debian/patches/auth-log-verbosity.patch openssh-5.5p1/debian/patches/auth-log-verbosity.patch --- openssh-5.5p1/debian/patches/auth-log-verbosity.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssh-5.5p1/debian/patches/auth-log-verbosity.patch 2011-07-28 17:29:58.000000000 +0100 @@ -0,0 +1,113 @@ +Description: Quieten logs when multiple from= restrictions are used +Author: Colin Watson <cjwat...@debian.org> +Bug-Debian: http://bugs.debian.org/630606 +Forwarded: no +Last-Update: 2011-07-28 + +Index: b/auth-options.c +=================================================================== +--- a/auth-options.c ++++ b/auth-options.c +@@ -55,9 +55,20 @@ + /* "tunnel=" option. */ + int forced_tun_device = -1; + ++/* Throttle log messages. */ ++int logged_from_hostip = 0; ++int logged_cert_hostip = 0; ++ + extern ServerOptions options; + + void ++auth_start_parse_options(void) ++{ ++ logged_from_hostip = 0; ++ logged_cert_hostip = 0; ++} ++ ++void + auth_clear_options(void) + { + no_agent_forwarding_flag = 0; +@@ -247,10 +258,13 @@ + /* FALLTHROUGH */ + case 0: + xfree(patterns); +- logit("Authentication tried for %.100s with " +- "correct key but not from a permitted " +- "host (host=%.200s, ip=%.200s).", +- pw->pw_name, remote_host, remote_ip); ++ if (!logged_from_hostip) { ++ logit("Authentication tried for %.100s with " ++ "correct key but not from a permitted " ++ "host (host=%.200s, ip=%.200s).", ++ pw->pw_name, remote_host, remote_ip); ++ logged_from_hostip = 1; ++ } + auth_debug_add("Your host '%.200s' is not " + "permitted to use this key for login.", + remote_host); +@@ -470,10 +484,13 @@ + break; + case 0: + /* no match */ +- logit("Authentication tried for %.100s with " +- "valid certificate but not from a " +- "permitted host (ip=%.200s).", +- pw->pw_name, remote_ip); ++ if (!logged_cert_hostip) { ++ logit("Authentication tried for %.100s with " ++ "valid certificate but not from a " ++ "permitted host (ip=%.200s).", ++ pw->pw_name, remote_ip); ++ logged_cert_hostip = 1; ++ } + auth_debug_add("Your address '%.200s' is not " + "permitted to use this certificate for " + "login.", remote_ip); +Index: b/auth-options.h +=================================================================== +--- a/auth-options.h ++++ b/auth-options.h +@@ -32,6 +32,7 @@ + extern int forced_tun_device; + extern int key_is_cert_authority; + ++void auth_start_parse_options(void); + int auth_parse_options(struct passwd *, char *, char *, u_long); + void auth_clear_options(void); + int auth_cert_constraints(Buffer *, struct passwd *); +Index: b/auth-rsa.c +=================================================================== +--- a/auth-rsa.c ++++ b/auth-rsa.c +@@ -196,6 +196,8 @@ + + key = key_new(KEY_RSA1); + ++ auth_start_parse_options(); ++ + /* + * Go though the accepted keys, looking for the current key. If + * found, perform a challenge-response dialog to verify that the +Index: b/auth2-pubkey.c +=================================================================== +--- a/auth2-pubkey.c ++++ b/auth2-pubkey.c +@@ -202,6 +202,8 @@ + found_key = 0; + found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); + ++ auth_start_parse_options(); ++ + while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { + char *cp, *key_options = NULL; + +@@ -307,6 +309,7 @@ + auth_debug_add("%s", reason); + goto out; + } ++ auth_start_parse_options(); + if (auth_cert_constraints(&key->cert->constraints, pw) != 0) + goto out; + diff -Nru openssh-5.5p1/debian/patches/series openssh-5.5p1/debian/patches/series --- openssh-5.5p1/debian/patches/series 2010-12-26 18:00:35.000000000 +0000 +++ openssh-5.5p1/debian/patches/series 2011-07-28 17:22:59.000000000 +0100 @@ -25,6 +25,7 @@ shell-path.patch ssh-copy-id-trailing-colons.patch dnssec-sshfp.patch +auth-log-verbosity.patch # Versioning package-versioning.patch Thanks, -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110728164842.gc9...@riva.dynamic.greenend.org.uk
