From 0beb8b37a1a4e7a48501e35d859e5ca182433edd Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Tue, 1 May 2018 18:54:04 +0100
Subject: [PATCH] Reduce verbosity of 'GSS init sec context failed' message.

Now we don't generate that message as a side effect of the periodic
check for new GSS credentials; we only generate it as part of the much
larger slew of messages that happen during a rekey.
---
 ssh.c | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/ssh.c b/ssh.c
index 3d35827c..3c0bd133 100644
--- a/ssh.c
+++ b/ssh.c
@@ -746,7 +746,7 @@ static void ssh_pkt_getstring(struct Packet *pkt, char **p, int *length);
 static void ssh2_timer(void *ctx, unsigned long now);
 static int ssh2_timer_update(Ssh ssh, unsigned long rekey_time);
 #ifndef NO_GSSAPI
-static void ssh2_gss_update(Ssh ssh);
+static void ssh2_gss_update(Ssh ssh, int definitely_rekeying);
 static struct Packet *ssh2_gss_authpacket(Ssh ssh, Ssh_gss_ctx gss_ctx,
                                           const char *authtype);
 #endif
@@ -6609,7 +6609,7 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen,
          * state is "fresh".
          */
         if (!vin || strcmp(vin, GSS_UPDATE_REKEY_REASON) != 0)
-            ssh2_gss_update(ssh);
+            ssh2_gss_update(ssh, TRUE);
 
         /* Do GSSAPI KEX when capable */
         s->can_gssapi_keyex = ssh->gss_status & GSS_KEX_CAPABLE;
@@ -11888,7 +11888,7 @@ static struct Packet *ssh2_gss_authpacket(Ssh ssh, Ssh_gss_ctx gss_ctx,
  * we use the expiration of a newly obtained context as a proxy for the
  * expiration of the TGT.
  */
-static void ssh2_gss_update(Ssh ssh)
+static void ssh2_gss_update(Ssh ssh, int definitely_rekeying)
 {
     int gss_stat;
     time_t gss_cred_expiry;
@@ -11954,8 +11954,17 @@ static void ssh2_gss_update(Ssh ssh)
 
     if (gss_stat != SSH_GSS_OK &&
         gss_stat != SSH_GSS_S_CONTINUE_NEEDED) {
-        logeventf(ssh, "GSSAPI init sec context failed;"
-                  " won't use GSS key exchange");
+        /*
+         * No point in verbosely interrupting the user to tell them we
+         * couldn't get GSS credentials, if this was only a check
+         * between key exchanges to see if fresh ones were available.
+         * When we do do a rekey, this message (if displayed) will
+         * appear among the standard rekey blurb, but when we're not,
+         * it shouldn't pop up all the time regardless.
+         */
+        if (definitely_rekeying)
+            logeventf(ssh, "No GSSAPI security context available");
+
         return;
     }
 
@@ -12079,7 +12088,7 @@ static void ssh2_timer(void *ctx, unsigned long now)
      * this is unsafe.
      */
     if (conf_get_int(ssh->conf, CONF_gssapirekey)) {
-        ssh2_gss_update(ssh);
+        ssh2_gss_update(ssh, FALSE);
         if ((ssh->gss_status & GSS_KEX_CAPABLE) != 0 &&
             (ssh->gss_status & GSS_CTXT_MAYFAIL) == 0 &&
             (ssh->gss_status & (GSS_CRED_UPDATED|GSS_CTXT_EXPIRES)) != 0) {