Define log levels in docs and change default to 0-3.
We define the meaning of the various log levels in the man page for krb5_openlog(3). If logging configured and levels are not specified, we change the default levels to 0-3 which should exclude debugging messages which are generally only desired in exceptional circumstances. We also go through the KDC and adjust the levels to be appropriate.
This commit is contained in:
Roland C. Dowdeswell
committed by
Roland C. Dowdeswell
Roland C. Dowdeswell
parent
aa5c525e71
commit
c7d4682aed
44
kdc/digest.c
44
kdc/digest.c
@@ -223,7 +223,7 @@ _kdc_do_digest(krb5_context context,
|
||||
krb5_data serverNonce;
|
||||
|
||||
if(!config->enable_digest) {
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(context, config, 2,
|
||||
"Rejected digest request (disabled) from %s", from);
|
||||
return KRB5KDC_ERR_POLICY;
|
||||
}
|
||||
@@ -236,7 +236,7 @@ _kdc_do_digest(krb5_context context,
|
||||
memset(&rep, 0, sizeof(rep));
|
||||
memset(&res, 0, sizeof(res));
|
||||
|
||||
kdc_log(context, config, 0, "Digest request from %s", from);
|
||||
kdc_log(context, config, 3, "Digest request from %s", from);
|
||||
|
||||
ret = krb5_kt_resolve(context, "HDBGET:", &id);
|
||||
if (ret) {
|
||||
@@ -320,7 +320,7 @@ _kdc_do_digest(krb5_context context,
|
||||
goto out;
|
||||
|
||||
if (client->entry.flags.allow_digest == 0) {
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(context, config, 2,
|
||||
"Client %s tried to use digest "
|
||||
"but is not allowed to",
|
||||
client_name);
|
||||
@@ -364,7 +364,7 @@ _kdc_do_digest(krb5_context context,
|
||||
goto out;
|
||||
}
|
||||
|
||||
kdc_log(context, config, 0, "Valid digest request from %s (%s)",
|
||||
kdc_log(context, config, 3, "Valid digest request from %s (%s)",
|
||||
client_name, from);
|
||||
|
||||
/*
|
||||
@@ -498,7 +498,7 @@ _kdc_do_digest(krb5_context context,
|
||||
goto out;
|
||||
}
|
||||
|
||||
kdc_log(context, config, 0, "Digest %s init request successful from %s",
|
||||
kdc_log(context, config, 3, "Digest %s init request successful from %s",
|
||||
ireq.u.init.type, from);
|
||||
|
||||
break;
|
||||
@@ -622,7 +622,7 @@ _kdc_do_digest(krb5_context context,
|
||||
char idx;
|
||||
|
||||
if ((config->digests_allowed & CHAP_MD5) == 0) {
|
||||
kdc_log(context, config, 0, "Digest CHAP MD5 not allowed");
|
||||
kdc_log(context, config, 2, "Digest CHAP MD5 not allowed");
|
||||
goto out;
|
||||
}
|
||||
|
||||
@@ -669,7 +669,7 @@ _kdc_do_digest(krb5_context context,
|
||||
if (ret == 0) {
|
||||
r.u.response.success = TRUE;
|
||||
} else {
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(context, config, 2,
|
||||
"CHAP reply mismatch for %s",
|
||||
ireq.u.digestRequest.username);
|
||||
r.u.response.success = FALSE;
|
||||
@@ -682,7 +682,7 @@ _kdc_do_digest(krb5_context context,
|
||||
char *A1, *A2;
|
||||
|
||||
if ((config->digests_allowed & DIGEST_MD5) == 0) {
|
||||
kdc_log(context, config, 0, "Digest SASL MD5 not allowed");
|
||||
kdc_log(context, config, 2, "Digest SASL MD5 not allowed");
|
||||
goto out;
|
||||
}
|
||||
|
||||
@@ -794,7 +794,7 @@ _kdc_do_digest(krb5_context context,
|
||||
if (ret == 0) {
|
||||
r.u.response.success = TRUE;
|
||||
} else {
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(context, config, 2,
|
||||
"DIGEST-MD5 reply mismatch for %s",
|
||||
ireq.u.digestRequest.username);
|
||||
r.u.response.success = FALSE;
|
||||
@@ -810,7 +810,7 @@ _kdc_do_digest(krb5_context context,
|
||||
EVP_MD_CTX *ctp;
|
||||
|
||||
if ((config->digests_allowed & MS_CHAP_V2) == 0) {
|
||||
kdc_log(context, config, 0, "MS-CHAP-V2 not allowed");
|
||||
kdc_log(context, config, 2, "MS-CHAP-V2 not allowed");
|
||||
goto failed;
|
||||
}
|
||||
|
||||
@@ -917,7 +917,7 @@ _kdc_do_digest(krb5_context context,
|
||||
if (ret == 0) {
|
||||
r.u.response.success = TRUE;
|
||||
} else {
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(context, config, 2,
|
||||
"MS-CHAP-V2 hash mismatch for %s",
|
||||
ireq.u.digestRequest.username);
|
||||
r.u.response.success = FALSE;
|
||||
@@ -1013,7 +1013,7 @@ _kdc_do_digest(krb5_context context,
|
||||
r.u.error.code = EINVAL;
|
||||
}
|
||||
|
||||
kdc_log(context, config, 0, "Digest %s request successful %s",
|
||||
kdc_log(context, config, 3, "Digest %s request successful %s",
|
||||
ireq.u.digestRequest.type, ireq.u.digestRequest.username);
|
||||
|
||||
break;
|
||||
@@ -1021,7 +1021,7 @@ _kdc_do_digest(krb5_context context,
|
||||
case choice_DigestReqInner_ntlmInit:
|
||||
|
||||
if ((config->digests_allowed & (NTLM_V1|NTLM_V1_SESSION|NTLM_V2)) == 0) {
|
||||
kdc_log(context, config, 0, "NTLM not allowed");
|
||||
kdc_log(context, config, 2, "NTLM not allowed");
|
||||
goto failed;
|
||||
}
|
||||
|
||||
@@ -1030,14 +1030,14 @@ _kdc_do_digest(krb5_context context,
|
||||
r.u.ntlmInitReply.flags = NTLM_NEG_UNICODE;
|
||||
|
||||
if ((ireq.u.ntlmInit.flags & NTLM_NEG_UNICODE) == 0) {
|
||||
kdc_log(context, config, 0, "NTLM client have no unicode");
|
||||
kdc_log(context, config, 2, "NTLM client have no unicode");
|
||||
goto failed;
|
||||
}
|
||||
|
||||
if (ireq.u.ntlmInit.flags & NTLM_NEG_NTLM)
|
||||
r.u.ntlmInitReply.flags |= NTLM_NEG_NTLM;
|
||||
else {
|
||||
kdc_log(context, config, 0, "NTLM client doesn't support NTLM");
|
||||
kdc_log(context, config, 2, "NTLM client doesn't support NTLM");
|
||||
goto failed;
|
||||
}
|
||||
|
||||
@@ -1137,7 +1137,7 @@ _kdc_do_digest(krb5_context context,
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
kdc_log(context, config, 0, "NTLM init from %s", from);
|
||||
kdc_log(context, config, 3, "NTLM init from %s", from);
|
||||
|
||||
break;
|
||||
|
||||
@@ -1181,7 +1181,7 @@ _kdc_do_digest(krb5_context context,
|
||||
krb5_crypto_destroy(context, crypto);
|
||||
crypto = NULL;
|
||||
if (ret) {
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(context, config, 2,
|
||||
"Failed to decrypt nonce from %s", from);
|
||||
goto failed;
|
||||
}
|
||||
@@ -1227,7 +1227,7 @@ _kdc_do_digest(krb5_context context,
|
||||
char *targetname;
|
||||
|
||||
if ((config->digests_allowed & NTLM_V2) == 0) {
|
||||
kdc_log(context, config, 0, "NTLM v2 not allowed");
|
||||
kdc_log(context, config, 2, "NTLM v2 not allowed");
|
||||
goto out;
|
||||
}
|
||||
|
||||
@@ -1273,7 +1273,7 @@ _kdc_do_digest(krb5_context context,
|
||||
EVP_MD_CTX *ctx;
|
||||
|
||||
if ((config->digests_allowed & NTLM_V1_SESSION) == 0) {
|
||||
kdc_log(context, config, 0, "NTLM v1-session not allowed");
|
||||
kdc_log(context, config, 2, "NTLM v1-session not allowed");
|
||||
ret = EINVAL;
|
||||
goto failed;
|
||||
}
|
||||
@@ -1298,7 +1298,7 @@ _kdc_do_digest(krb5_context context,
|
||||
|
||||
} else {
|
||||
if ((config->digests_allowed & NTLM_V1) == 0) {
|
||||
kdc_log(context, config, 0, "NTLM v1 not allowed");
|
||||
kdc_log(context, config, 2, "NTLM v1 not allowed");
|
||||
goto failed;
|
||||
}
|
||||
}
|
||||
@@ -1389,7 +1389,7 @@ _kdc_do_digest(krb5_context context,
|
||||
}
|
||||
case choice_DigestReqInner_supportedMechs:
|
||||
|
||||
kdc_log(context, config, 0, "digest supportedMechs from %s", from);
|
||||
kdc_log(context, config, 4, "digest supportedMechs from %s", from);
|
||||
|
||||
r.element = choice_DigestRepInner_supportedMechs;
|
||||
memset(&r.u.supportedMechs, 0, sizeof(r.u.supportedMechs));
|
||||
@@ -1421,7 +1421,7 @@ _kdc_do_digest(krb5_context context,
|
||||
goto out;
|
||||
}
|
||||
|
||||
kdc_log(context, config, 0, "Digest failed with: %s", s);
|
||||
kdc_log(context, config, 2, "Digest failed with: %s", s);
|
||||
|
||||
r.element = choice_DigestRepInner_error;
|
||||
r.u.error.reason = strdup("unknown error");
|
||||
|
||||
Reference in New Issue
Block a user