===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/auth2-hostbased.c,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- src/usr.bin/ssh/auth2-hostbased.c	2014/12/21 22:27:56	1.19
+++ src/usr.bin/ssh/auth2-hostbased.c	2014/12/23 22:42:48	1.20
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.19 2014/12/21 22:27:56 djm Exp $ */
+/* $OpenBSD: auth2-hostbased.c,v 1.20 2014/12/23 22:42:48 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -162,7 +162,7 @@
 	resolvedname = get_canonical_hostname(options.use_dns);
 	ipaddr = get_remote_ipaddr();
 
-	debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
+	debug2("%s: chost %s resolvedname %s ipaddr %s", __func__,
 	    chost, resolvedname, ipaddr);
 
 	if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
@@ -171,19 +171,27 @@
 	}
 
 	if (options.hostbased_uses_name_from_packet_only) {
-		if (auth_rhosts2(pw, cuser, chost, chost) == 0)
+		if (auth_rhosts2(pw, cuser, chost, chost) == 0) {
+			debug2("%s: auth_rhosts2 refused "
+			    "user \"%.100s\" host \"%.100s\" (from packet)",
+			    __func__, cuser, chost);
 			return 0;
+		}
 		lookup = chost;
 	} else {
 		if (strcasecmp(resolvedname, chost) != 0)
 			logit("userauth_hostbased mismatch: "
 			    "client sends %s, but we resolve %s to %s",
 			    chost, ipaddr, resolvedname);
-		if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0)
+		if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0) {
+			debug2("%s: auth_rhosts2 refused "
+			    "user \"%.100s\" host \"%.100s\" addr \"%.100s\"",
+			    __func__, cuser, resolvedname, ipaddr);
 			return 0;
+		}
 		lookup = resolvedname;
 	}
-	debug2("userauth_hostbased: access allowed by auth_rhosts2");
+	debug2("%s: access allowed by auth_rhosts2", __func__);
 
 	if (key_is_cert(key) && 
 	    key_cert_check_authority(key, 1, 0, lookup, &reason)) {