Proposed openssh #630606 fix for squeeze

To: debian-release@lists.debian.org
Subject: Proposed openssh #630606 fix for squeeze
From: Colin Watson <cjwatson@debian.org>
Date: Thu, 28 Jul 2011 17:48:44 +0100
Message-id: <[🔎] 20110728164842.GC9114@riva.dynamic.greenend.org.uk>
Mail-followup-to: debian-release@lists.debian.org

Peter Palfrader asked me to fix #630606 in squeeze, as the large amount
of log messages is causing problems on some debian.org machines.  I've
bodged it down to a reasonable level (one of these messages per key); it
probably ought to only log if no authorized_keys lines succeed or
something like that, but that would have been much harder to do and the
patch would have been rather longer.

diff -Nru openssh-5.5p1/debian/changelog openssh-5.5p1/debian/changelog
--- openssh-5.5p1/debian/changelog	2010-12-26 18:09:30.000000000 +0000
+++ openssh-5.5p1/debian/changelog	2011-07-28 17:44:13.000000000 +0100
@@ -1,3 +1,11 @@
+openssh (1:5.5p1-6+squeeze1) stable; urgency=low
+
+  * Quieten logs when multiple from= restrictions are used in different
+    authorized_keys lines for the same key; it's still not ideal, but at
+    least you'll only get one log entry per key (closes: #630606).
+
+ -- Colin Watson <cjwatson@debian.org>  Thu, 28 Jul 2011 16:43:48 +0000
+
 openssh (1:5.5p1-6) unstable; urgency=low
 
   * Touch /var/run/sshd/.placeholder in the preinst so that /var/run/sshd,
diff -Nru openssh-5.5p1/debian/patches/auth-log-verbosity.patch openssh-5.5p1/debian/patches/auth-log-verbosity.patch
--- openssh-5.5p1/debian/patches/auth-log-verbosity.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssh-5.5p1/debian/patches/auth-log-verbosity.patch	2011-07-28 17:29:58.000000000 +0100
@@ -0,0 +1,113 @@
+Description: Quieten logs when multiple from= restrictions are used
+Author: Colin Watson <cjwatson@debian.org>
+Bug-Debian: http://bugs.debian.org/630606
+Forwarded: no
+Last-Update: 2011-07-28
+
+Index: b/auth-options.c
+===================================================================
+--- a/auth-options.c
++++ b/auth-options.c
+@@ -55,9 +55,20 @@
+ /* "tunnel=" option. */
+ int forced_tun_device = -1;
+ 
++/* Throttle log messages. */
++int logged_from_hostip = 0;
++int logged_cert_hostip = 0;
++
+ extern ServerOptions options;
+ 
+ void
++auth_start_parse_options(void)
++{
++	logged_from_hostip = 0;
++	logged_cert_hostip = 0;
++}
++
++void
+ auth_clear_options(void)
+ {
+ 	no_agent_forwarding_flag = 0;
+@@ -247,10 +258,13 @@
+ 				/* FALLTHROUGH */
+ 			case 0:
+ 				xfree(patterns);
+-				logit("Authentication tried for %.100s with "
+-				    "correct key but not from a permitted "
+-				    "host (host=%.200s, ip=%.200s).",
+-				    pw->pw_name, remote_host, remote_ip);
++				if (!logged_from_hostip) {
++					logit("Authentication tried for %.100s with "
++					    "correct key but not from a permitted "
++					    "host (host=%.200s, ip=%.200s).",
++					    pw->pw_name, remote_host, remote_ip);
++					logged_from_hostip = 1;
++				}
+ 				auth_debug_add("Your host '%.200s' is not "
+ 				    "permitted to use this key for login.",
+ 				    remote_host);
+@@ -470,10 +484,13 @@
+ 				break;
+ 			case 0:
+ 				/* no match */
+-				logit("Authentication tried for %.100s with "
+-				    "valid certificate but not from a "
+-				    "permitted host (ip=%.200s).",
+-				    pw->pw_name, remote_ip);
++				if (!logged_cert_hostip) {
++					logit("Authentication tried for %.100s with "
++					    "valid certificate but not from a "
++					    "permitted host (ip=%.200s).",
++					    pw->pw_name, remote_ip);
++					logged_cert_hostip = 1;
++				}
+ 				auth_debug_add("Your address '%.200s' is not "
+ 				    "permitted to use this certificate for "
+ 				    "login.", remote_ip);
+Index: b/auth-options.h
+===================================================================
+--- a/auth-options.h
++++ b/auth-options.h
+@@ -32,6 +32,7 @@
+ extern int forced_tun_device;
+ extern int key_is_cert_authority;
+ 
++void	auth_start_parse_options(void);
+ int	auth_parse_options(struct passwd *, char *, char *, u_long);
+ void	auth_clear_options(void);
+ int	auth_cert_constraints(Buffer *, struct passwd *);
+Index: b/auth-rsa.c
+===================================================================
+--- a/auth-rsa.c
++++ b/auth-rsa.c
+@@ -196,6 +196,8 @@
+ 
+ 	key = key_new(KEY_RSA1);
+ 
++	auth_start_parse_options();
++
+ 	/*
+ 	 * Go though the accepted keys, looking for the current key.  If
+ 	 * found, perform a challenge-response dialog to verify that the
+Index: b/auth2-pubkey.c
+===================================================================
+--- a/auth2-pubkey.c
++++ b/auth2-pubkey.c
+@@ -202,6 +202,8 @@
+ 	found_key = 0;
+ 	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
+ 
++	auth_start_parse_options();
++
+ 	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
+ 		char *cp, *key_options = NULL;
+ 
+@@ -307,6 +309,7 @@
+ 		auth_debug_add("%s", reason);
+ 		goto out;
+ 	}
++	auth_start_parse_options();
+ 	if (auth_cert_constraints(&key->cert->constraints, pw) != 0)
+ 		goto out;
+ 
diff -Nru openssh-5.5p1/debian/patches/series openssh-5.5p1/debian/patches/series
--- openssh-5.5p1/debian/patches/series	2010-12-26 18:00:35.000000000 +0000
+++ openssh-5.5p1/debian/patches/series	2011-07-28 17:22:59.000000000 +0100
@@ -25,6 +25,7 @@
 shell-path.patch
 ssh-copy-id-trailing-colons.patch
 dnssec-sshfp.patch
+auth-log-verbosity.patch
 
 # Versioning
 package-versioning.patch

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Re: Proposed openssh #630606 fix for squeeze
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: d-i changes
Next by Date: Re: latex-unicode sources and licensing
Previous by thread: Re: [Pkg-clamav-devel] New ClamAV version fixes errors
Next by thread: Re: Proposed openssh #630606 fix for squeeze
Index(es):
- Date
- Thread