Import openssh_7.4p1.orig.tar.gz

1 files changed, 62 insertions, 345 deletions

diff --git a/monitor.c b/monitor.c
index cb57bd066..43f484709 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.161 2016/07/22 03:39:13 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.166 2016/09/28 16:33:06 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -94,7 +94,6 @@
 #include "misc.h"
 #include "servconf.h"
 #include "monitor.h"
-#include "monitor_mm.h"
 #ifdef GSSAPI
 #include "ssh-gss.h"
 #endif
@@ -169,10 +168,6 @@ static int monitor_read_log(struct monitor *);
 
 static Authctxt *authctxt;
 
-#ifdef WITH_SSH1
-static BIGNUM *ssh1_challenge = NULL;   /* used for ssh1 rsa auth */
-#endif
-
 /* local state for key verify */
 static u_char *key_blob = NULL;
 static u_int key_bloblen = 0;
@@ -212,9 +207,9 @@ struct mon_table mon_dispatch_proto20[] = {
 #ifdef USE_PAM
     {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
     {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
-    {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
-    {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
-    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
+    {MONITOR_REQ_PAM_INIT_CTX, MON_ONCE, mm_answer_pam_init_ctx},
+    {MONITOR_REQ_PAM_QUERY, 0, mm_answer_pam_query},
+    {MONITOR_REQ_PAM_RESPOND, MON_ONCE, mm_answer_pam_respond},
     {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
 #endif
 #ifdef SSH_AUDIT_EVENTS
@@ -232,9 +227,9 @@ struct mon_table mon_dispatch_proto20[] = {
     {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
 #ifdef GSSAPI
     {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
-    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
-    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
-    {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
+    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
+    {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
+    {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
 #endif
     {0, 0, NULL}
 };
@@ -254,52 +249,6 @@ struct mon_table mon_dispatch_postauth20[] = {
     {0, 0, NULL}
 };
 
-struct mon_table mon_dispatch_proto15[] = {
-#ifdef WITH_SSH1
-    {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
-    {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
-    {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
-    {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
-    {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_rsa_keyallowed},
-    {MONITOR_REQ_KEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_keyallowed},
-    {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge},
-    {MONITOR_REQ_RSARESPONSE, MON_ONCE|MON_AUTHDECIDE, mm_answer_rsa_response},
-#ifdef BSD_AUTH
-    {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
-    {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH, mm_answer_bsdauthrespond},
-#endif
-#ifdef SKEY
-    {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
-    {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
-#endif
-#ifdef USE_PAM
-    {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
-    {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
-    {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
-    {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
-    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
-    {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
-#endif
-#ifdef SSH_AUDIT_EVENTS
-    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
-#endif
-#endif /* WITH_SSH1 */
-    {0, 0, NULL}
-};
-
-struct mon_table mon_dispatch_postauth15[] = {
-#ifdef WITH_SSH1
-    {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
-    {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
-    {MONITOR_REQ_TERM, 0, mm_answer_term},
-#ifdef SSH_AUDIT_EVENTS
-    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
-    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
-#endif
-#endif /* WITH_SSH1 */
-    {0, 0, NULL}
-};
-
 struct mon_table *mon_dispatch;
 
 /* Specifies if a certain message is allowed at the moment */
@@ -348,17 +297,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
 
         authctxt->loginmsg = &loginmsg;
 
-        if (compat20) {
-                mon_dispatch = mon_dispatch_proto20;
-
-                /* Permit requests for moduli and signatures */
-                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
-                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
-        } else {
-                mon_dispatch = mon_dispatch_proto15;
-
-                monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
-        }
+        mon_dispatch = mon_dispatch_proto20;
+        /* Permit requests for moduli and signatures */
+        monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
+        monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
 
         /* The first few requests do not require asynchronous access */
         while (!authenticated) {
@@ -369,9 +311,6 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
 
                 /* Special handling for multiple required authentications */
                 if (options.num_auth_methods != 0) {
-                        if (!compat20)
-                                fatal("AuthenticationMethods is not supported"
-                                    "with SSH protocol 1");
                         if (authenticated &&
                             !auth2_update_methods_lists(authctxt,
                             auth_method, auth_submethod)) {
@@ -455,17 +394,13 @@ monitor_child_postauth(struct monitor *pmonitor)
         signal(SIGXFSZ, SIG_IGN);
 #endif
 
-        if (compat20) {
-                mon_dispatch = mon_dispatch_postauth20;
+        mon_dispatch = mon_dispatch_postauth20;
+
+        /* Permit requests for moduli and signatures */
+        monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
+        monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+        monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
 
-                /* Permit requests for moduli and signatures */
-                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
-                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
-                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-        } else {
-                mon_dispatch = mon_dispatch_postauth15;
-                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-        }
         if (!no_pty_flag) {
                 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
@@ -475,31 +410,6 @@ monitor_child_postauth(struct monitor *pmonitor)
                 monitor_read(pmonitor, mon_dispatch, NULL);
 }
 
-void
-monitor_sync(struct monitor *pmonitor)
-{
-        if (options.compression) {
-                /* The member allocation is not visible, so sync it */
-                mm_share_sync(&pmonitor->m_zlib, &pmonitor->m_zback);
-        }
-}
-
-/* Allocation functions for zlib */
-static void *
-mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
-{
-        if (size == 0 || ncount == 0 || ncount > SIZE_MAX / size)
-                fatal("%s: mm_zalloc(%u, %u)", __func__, ncount, size);
-
-        return mm_malloc(mm, size * ncount);
-}
-
-static void
-mm_zfree(struct mm_master *mm, void *address)
-{
-        mm_free(mm, address);
-}
-
 static int
 monitor_read_log(struct monitor *pmonitor)
 {
@@ -845,7 +755,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
 #undef M_CP_STRARRAYOPT
 
         /* Create valid auth method lists */
-        if (compat20 && auth2_setup_methods_lists(authctxt) != 0) {
+        if (auth2_setup_methods_lists(authctxt) != 0) {
                 /*
                  * The monitor will continue long enough to let the child
                  * run to it's packet_disconnect(), but it must not allow any
@@ -857,14 +767,10 @@ mm_answer_pwnamallow(int sock, Buffer *m)
         debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);
         mm_request_send(sock, MONITOR_ANS_PWNAM, m);
 
-        /* For SSHv1 allow authentication now */
-        if (!compat20)
-                monitor_permit_authentications(1);
-        else {
-                /* Allow service/style information on the auth context */
-                monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
-                monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
-        }
+        /* Allow service/style information on the auth context */
+        monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+        monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
+
 #ifdef USE_PAM
         if (options.use_pam)
                 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
@@ -912,6 +818,8 @@ mm_answer_authpassword(int sock, Buffer *m)
         int authenticated;
         u_int plen;
 
+        if (!options.password_authentication)
+                fatal("%s: password authentication not enabled", __func__);
         passwd = buffer_get_string(m, &plen);
         /* Only authenticate if the context is valid */
         authenticated = options.password_authentication &&
@@ -948,6 +856,8 @@ mm_answer_bsdauthquery(int sock, Buffer *m)
         char **prompts;
         u_int success;
 
+        if (!options.kbd_interactive_authentication)
+                fatal("%s: kbd-int authentication not enabled", __func__);
         success = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
             &prompts, &echo_on) < 0 ? 0 : 1;
 
@@ -975,6 +885,8 @@ mm_answer_bsdauthrespond(int sock, Buffer *m)
         char *response;
         int authok;
 
+        if (!options.kbd_interactive_authentication)
+                fatal("%s: kbd-int authentication not enabled", __func__);
         if (authctxt->as == NULL)
                 fatal("%s: no bsd auth session", __func__);
 
@@ -991,11 +903,8 @@ mm_answer_bsdauthrespond(int sock, Buffer *m)
         debug3("%s: sending authenticated: %d", __func__, authok);
         mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
 
-        if (compat20) {
-                auth_method = "keyboard-interactive";
-                auth_submethod = "bsdauth";
-        } else
-                auth_method = "bsdauth";
+        auth_method = "keyboard-interactive";
+        auth_submethod = "bsdauth";
 
         return (authok != 0);
 }
@@ -1061,6 +970,8 @@ mm_answer_pam_start(int sock, Buffer *m)
         start_pam(authctxt);
 
         monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);
+        if (options.kbd_interactive_authentication)
+                monitor_permit(mon_dispatch, MONITOR_REQ_PAM_INIT_CTX, 1);
 
         return (0);
 }
@@ -1071,7 +982,7 @@ mm_answer_pam_account(int sock, Buffer *m)
         u_int ret;
 
         if (!options.use_pam)
-                fatal("UsePAM not set, but ended up in %s anyway", __func__);
+                fatal("%s: PAM not enabled", __func__);
 
         ret = do_pam_account();
 
@@ -1090,11 +1001,16 @@ int
 mm_answer_pam_init_ctx(int sock, Buffer *m)
 {
         debug3("%s", __func__);
+        if (!options.kbd_interactive_authentication)
+                fatal("%s: kbd-int authentication not enabled", __func__);
+        if (sshpam_ctxt != NULL)
+                fatal("%s: already called", __func__);
         sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
         sshpam_authok = NULL;
         buffer_clear(m);
         if (sshpam_ctxt != NULL) {
                 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_PAM_QUERY, 1);
                 buffer_put_int(m, 1);
         } else {
                 buffer_put_int(m, 0);
@@ -1112,11 +1028,15 @@ mm_answer_pam_query(int sock, Buffer *m)
 
         debug3("%s", __func__);
         sshpam_authok = NULL;
-        ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num, &prompts, &echo_on);
+        if (sshpam_ctxt == NULL)
+                fatal("%s: no context", __func__);
+        ret = (sshpam_device.query)(sshpam_ctxt, &name, &info,
+            &num, &prompts, &echo_on);
         if (ret == 0 && num == 0)
                 sshpam_authok = sshpam_ctxt;
         if (num > 1 || name == NULL || info == NULL)
-                ret = -1;
+                fatal("sshpam_device.query failed");
+        monitor_permit(mon_dispatch, MONITOR_REQ_PAM_RESPOND, 1);
         buffer_clear(m);
         buffer_put_int(m, ret);
         buffer_put_cstring(m, name);
@@ -1146,6 +1066,8 @@ mm_answer_pam_respond(int sock, Buffer *m)
         int ret;
 
         debug3("%s", __func__);
+        if (sshpam_ctxt == NULL)
+                fatal("%s: no context", __func__);
         sshpam_authok = NULL;
         num = buffer_get_int(m);
         if (num > 0) {
@@ -1175,10 +1097,14 @@ mm_answer_pam_free_ctx(int sock, Buffer *m)
         int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
 
         debug3("%s", __func__);
+        if (sshpam_ctxt == NULL)
+                fatal("%s: no context", __func__);
         (sshpam_device.free_ctx)(sshpam_ctxt);
         sshpam_ctxt = sshpam_authok = NULL;
         buffer_clear(m);
         mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+        /* Allow another attempt */
+        monitor_permit(mon_dispatch, MONITOR_REQ_PAM_INIT_CTX, 1);
         auth_method = "keyboard-interactive";
         auth_submethod = "pam";
         return r;
@@ -1205,10 +1131,6 @@ mm_answer_keyallowed(int sock, Buffer *m)
 
         key = key_from_blob(blob, bloblen);
 
-        if ((compat20 && type == MM_RSAHOSTKEY) ||
-            (!compat20 && type != MM_RSAHOSTKEY))
-                fatal("%s: key type and protocol mismatch", __func__);
-
         debug3("%s: key_from_blob: %p", __func__, key);
 
         if (key != NULL && authctxt->valid) {
@@ -1242,17 +1164,6 @@ mm_answer_keyallowed(int sock, Buffer *m)
                             cuser, chost);
                         auth_method = "hostbased";
                         break;
-#ifdef WITH_SSH1
-                case MM_RSAHOSTKEY:
-                        key->type = KEY_RSA1; /* XXX */
-                        allowed = options.rhosts_rsa_authentication &&
-                            auth_rhosts_rsa_key_allowed(authctxt->pw,
-                            cuser, chost, key);
-                        if (options.rhosts_rsa_authentication && allowed != 1)
-                                auth_clear_options();
-                        auth_method = "rsa";
-                        break;
-#endif
                 default:
                         fatal("%s: unknown key type %d", __func__, type);
                         break;
@@ -1289,9 +1200,6 @@ mm_answer_keyallowed(int sock, Buffer *m)
 
         mm_request_send(sock, MONITOR_ANS_KEYALLOWED, m);
 
-        if (type == MM_RSAHOSTKEY)
-                monitor_permit(mon_dispatch, MONITOR_REQ_RSACHALLENGE, allowed);
-
         return (0);
 }
 
@@ -1484,9 +1392,6 @@ mm_record_login(Session *s, struct passwd *pw)
         socklen_t fromlen;
         struct sockaddr_storage from;
 
-        if (options.use_login)
-                return;
-
         /*
          * Get IP address of client. If the connection is not a socket, let
          * the address be 0.0.0.0.
@@ -1600,186 +1505,6 @@ mm_answer_pty_cleanup(int sock, Buffer *m)
         return (0);
 }
 
-#ifdef WITH_SSH1
-int
-mm_answer_sesskey(int sock, Buffer *m)
-{
-        BIGNUM *p;
-        int rsafail;
-
-        /* Turn off permissions */
-        monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 0);
-
-        if ((p = BN_new()) == NULL)
-                fatal("%s: BN_new", __func__);
-
-        buffer_get_bignum2(m, p);
-
-        rsafail = ssh1_session_key(p);
-
-        buffer_clear(m);
-        buffer_put_int(m, rsafail);
-        buffer_put_bignum2(m, p);
-
-        BN_clear_free(p);
-
-        mm_request_send(sock, MONITOR_ANS_SESSKEY, m);
-
-        /* Turn on permissions for sessid passing */
-        monitor_permit(mon_dispatch, MONITOR_REQ_SESSID, 1);
-
-        return (0);
-}
-
-int
-mm_answer_sessid(int sock, Buffer *m)
-{
-        int i;
-
-        debug3("%s entering", __func__);
-
-        if (buffer_len(m) != 16)
-                fatal("%s: bad ssh1 session id", __func__);
-        for (i = 0; i < 16; i++)
-                session_id[i] = buffer_get_char(m);
-
-        /* Turn on permissions for getpwnam */
-        monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
-
-        return (0);
-}
-
-int
-mm_answer_rsa_keyallowed(int sock, Buffer *m)
-{
-        BIGNUM *client_n;
-        Key *key = NULL;
-        u_char *blob = NULL;
-        u_int blen = 0;
-        int allowed = 0;
-
-        debug3("%s entering", __func__);
-
-        auth_method = "rsa";
-        if (options.rsa_authentication && authctxt->valid) {
-                if ((client_n = BN_new()) == NULL)
-                        fatal("%s: BN_new", __func__);
-                buffer_get_bignum2(m, client_n);
-                allowed = auth_rsa_key_allowed(authctxt->pw, client_n, &key);
-                BN_clear_free(client_n);
-        }
-        buffer_clear(m);
-        buffer_put_int(m, allowed);
-        buffer_put_int(m, forced_command != NULL);
-
-        /* clear temporarily storage (used by generate challenge) */
-        monitor_reset_key_state();
-
-        if (allowed && key != NULL) {
-                key->type = KEY_RSA;    /* cheat for key_to_blob */
-                if (key_to_blob(key, &blob, &blen) == 0)
-                        fatal("%s: key_to_blob failed", __func__);
-                buffer_put_string(m, blob, blen);
-
-                /* Save temporarily for comparison in verify */
-                key_blob = blob;
-                key_bloblen = blen;
-                key_blobtype = MM_RSAUSERKEY;
-        }
-        if (key != NULL)
-                key_free(key);
-
-        mm_request_send(sock, MONITOR_ANS_RSAKEYALLOWED, m);
-
-        monitor_permit(mon_dispatch, MONITOR_REQ_RSACHALLENGE, allowed);
-        monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 0);
-        return (0);
-}
-
-int
-mm_answer_rsa_challenge(int sock, Buffer *m)
-{
-        Key *key = NULL;
-        u_char *blob;
-        u_int blen;
-
-        debug3("%s entering", __func__);
-
-        if (!authctxt->valid)
-                fatal("%s: authctxt not valid", __func__);
-        blob = buffer_get_string(m, &blen);
-        if (!monitor_allowed_key(blob, blen))
-                fatal("%s: bad key, not previously allowed", __func__);
-        if (key_blobtype != MM_RSAUSERKEY && key_blobtype != MM_RSAHOSTKEY)
-                fatal("%s: key type mismatch", __func__);
-        if ((key = key_from_blob(blob, blen)) == NULL)
-                fatal("%s: received bad key", __func__);
-        if (key->type != KEY_RSA)
-                fatal("%s: received bad key type %d", __func__, key->type);
-        key->type = KEY_RSA1;
-        if (ssh1_challenge)
-                BN_clear_free(ssh1_challenge);
-        ssh1_challenge = auth_rsa_generate_challenge(key);
-
-        buffer_clear(m);
-        buffer_put_bignum2(m, ssh1_challenge);
-
-        debug3("%s sending reply", __func__);
-        mm_request_send(sock, MONITOR_ANS_RSACHALLENGE, m);
-
-        monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1);
-
-        free(blob);
-        key_free(key);
-        return (0);
-}
-
-int
-mm_answer_rsa_response(int sock, Buffer *m)
-{
-        Key *key = NULL;
-        u_char *blob, *response;
-        u_int blen, len;
-        int success;
-
-        debug3("%s entering", __func__);
-
-        if (!authctxt->valid)
-                fatal("%s: authctxt not valid", __func__);
-        if (ssh1_challenge == NULL)
-                fatal("%s: no ssh1_challenge", __func__);
-
-        blob = buffer_get_string(m, &blen);
-        if (!monitor_allowed_key(blob, blen))
-                fatal("%s: bad key, not previously allowed", __func__);
-        if (key_blobtype != MM_RSAUSERKEY && key_blobtype != MM_RSAHOSTKEY)
-                fatal("%s: key type mismatch: %d", __func__, key_blobtype);
-        if ((key = key_from_blob(blob, blen)) == NULL)
-                fatal("%s: received bad key", __func__);
-        response = buffer_get_string(m, &len);
-        if (len != 16)
-                fatal("%s: received bad response to challenge", __func__);
-        success = auth_rsa_verify_response(key, ssh1_challenge, response);
-
-        free(blob);
-        key_free(key);
-        free(response);
-
-        auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
-
-        /* reset state */
-        BN_clear_free(ssh1_challenge);
-        ssh1_challenge = NULL;
-        monitor_reset_key_state();
-
-        buffer_clear(m);
-        buffer_put_int(m, success);
-        mm_request_send(sock, MONITOR_ANS_RSARESPONSE, m);
-
-        return (success);
-}
-#endif
-
 int
 mm_answer_term(int sock, Buffer *req)
 {
@@ -1881,13 +1606,6 @@ monitor_apply_keystate(struct monitor *pmonitor)
                 kex->host_key_index=&get_hostkey_index;
                 kex->sign = sshd_hostkey_sign;
         }
-
-        /* Update with new address */
-        if (options.compression) {
-                ssh_packet_set_compress_hooks(ssh, pmonitor->m_zlib,
-                    (ssh_packet_comp_alloc_func *)mm_zalloc,
-                    (ssh_packet_comp_free_func *)mm_zfree);
-        }
 }
 
 /* This function requries careful sanity checking */
@@ -1940,24 +1658,11 @@ monitor_openfds(struct monitor *mon, int do_logfds)
 struct monitor *
 monitor_init(void)
 {
-        struct ssh *ssh = active_state;                 /* XXX */
         struct monitor *mon;
 
         mon = xcalloc(1, sizeof(*mon));
-
         monitor_openfds(mon, 1);
 
-        /* Used to share zlib space across processes */
-        if (options.compression) {
-                mon->m_zback = mm_create(NULL, MM_MEMSIZE);
-                mon->m_zlib = mm_create(mon->m_zback, 20 * MM_MEMSIZE);
-
-                /* Compression needs to share state across borders */
-                ssh_packet_set_compress_hooks(ssh, mon->m_zlib,
-                    (ssh_packet_comp_alloc_func *)mm_zalloc,
-                    (ssh_packet_comp_free_func *)mm_zfree);
-        }
-
         return mon;
 }
 
@@ -1975,6 +1680,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
         OM_uint32 major;
         u_int len;
 
+        if (!options.gss_authentication)
+                fatal("%s: GSSAPI authentication not enabled", __func__);
+
         goid.elements = buffer_get_string(m, &len);
         goid.length = len;
 
@@ -2002,6 +1710,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
         OM_uint32 flags = 0; /* GSI needs this */
         u_int len;
 
+        if (!options.gss_authentication)
+                fatal("%s: GSSAPI authentication not enabled", __func__);
+
         in.value = buffer_get_string(m, &len);
         in.length = len;
         major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -2030,6 +1741,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
         OM_uint32 ret;
         u_int len;
 
+        if (!options.gss_authentication)
+                fatal("%s: GSSAPI authentication not enabled", __func__);
+
         gssbuf.value = buffer_get_string(m, &len);
         gssbuf.length = len;
         mic.value = buffer_get_string(m, &len);
@@ -2056,6 +1770,9 @@ mm_answer_gss_userok(int sock, Buffer *m)
 {
         int authenticated;
 
+        if (!options.gss_authentication)
+                fatal("%s: GSSAPI authentication not enabled", __func__);
+
         authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
 
         buffer_clear(m);