upstream: switch over to the new authorized_keys options API and

remove the legacy one. Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines. feedback and ok markus@ OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
author: djm@openbsd.org <djm@openbsd.org> 2018-03-03 03:15:51 +0000
committer: Damien Miller <djm@mindrot.org> 2018-03-03 14:37:16 +1100
commit: 7c856857607112a3dfe6414696bf4c7ab7fb0cb3 (patch)
tree: 48c837fc9c9e11d64862d4f54c1a886b54d8721c /auth-passwd.c
parent: 90c4bec8b5f9ec4c003ae4abdf13fc7766f00c8b (diff)
1 files changed, 12 insertions, 18 deletions
diff --git a/auth-passwd.c b/auth-passwd.c
index 996c2cf71..6097fdd24 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-passwd.c,v 1.45 2016/07/21 01:39:35 dtucker Exp $ */
+/* $OpenBSD: auth-passwd.c,v 1.46 2018/03/03 03:15:51 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -68,22 +68,15 @@ extern login_cap_t *lc;
 #define MAX_PASSWORD_LEN        1024
-void
-disable_forwarding(void)
-{
-        no_port_forwarding_flag = 1;
-        no_agent_forwarding_flag = 1;
-        no_x11_forwarding_flag = 1;
-}
 /*
 * Tries to authenticate the user using password.  Returns true if
 * authentication succeeds.
 */
 int
-auth_password(Authctxt *authctxt, const char *password)
+auth_password(struct ssh *ssh, const char *password)
 {
-        struct passwd * pw = authctxt->pw;
+        Authctxt *authctxt = ssh->authctxt;
+        struct passwd *pw = authctxt->pw;
        int result, ok = authctxt->valid;
 #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
        static int expire_checked = 0;
@@ -128,9 +121,9 @@ auth_password(Authctxt *authctxt, const char *password)
                        authctxt->force_pwchange = 1;
        }
 #endif
-        result = sys_auth_passwd(authctxt, password);
+        result = sys_auth_passwd(ssh, password);
        if (authctxt->force_pwchange)
-                disable_forwarding();
+                auth_restrict_session(ssh);
        return (result && ok);
 }
@@ -170,19 +163,19 @@ warn_expiry(Authctxt *authctxt, auth_session_t *as)
 }
 int
-sys_auth_passwd(Authctxt *authctxt, const char *password)
+sys_auth_passwd(struct ssh *ssh, const char *password)
 {
-        struct passwd *pw = authctxt->pw;
+        Authctxt *authctxt = ssh->authctxt;
        auth_session_t *as;
        static int expire_checked = 0;
-        as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
+        as = auth_usercheck(authctxt->pw->pw_name, authctxt->style, "auth-ssh",
            (char *)password);
        if (as == NULL)
                return (0);
        if (auth_getstate(as) & AUTH_PWEXPIRED) {
                auth_close(as);
-                disable_forwarding();
+                auth_restrict_session(ssh);
                authctxt->force_pwchange = 1;
                return (1);
        } else {
@@ -195,8 +188,9 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
 }
 #elif !defined(CUSTOM_SYS_AUTH_PASSWD)
 int
-sys_auth_passwd(Authctxt *authctxt, const char *password)
+sys_auth_passwd(struct ssh *ssh, const char *password)
 {
+        Authctxt *authctxt = ssh->authctxt;
        struct passwd *pw = authctxt->pw;
        char *encrypted_password, *salt = NULL;
author	djm@openbsd.org <djm@openbsd.org>	2018-03-03 03:15:51 +0000
committer	Damien Miller <djm@mindrot.org>	2018-03-03 14:37:16 +1100
commit	7c856857607112a3dfe6414696bf4c7ab7fb0cb3 (patch)
tree	48c837fc9c9e11d64862d4f54c1a886b54d8721c /auth-passwd.c
parent	90c4bec8b5f9ec4c003ae4abdf13fc7766f00c8b (diff)