upstream: switch over to the new authorized_keys options API and

remove the legacy one. Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines. feedback and ok markus@ OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
author: djm@openbsd.org <djm@openbsd.org> 2018-03-03 03:15:51 +0000
committer: Damien Miller <djm@mindrot.org> 2018-03-03 14:37:16 +1100
commit: 7c856857607112a3dfe6414696bf4c7ab7fb0cb3 (patch)
tree: 48c837fc9c9e11d64862d4f54c1a886b54d8721c /monitor_wrap.c
parent: 90c4bec8b5f9ec4c003ae4abdf13fc7766f00c8b (diff)
1 files changed, 27 insertions, 17 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c
index cce318bc5..9666bda4b 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.98 2018/01/08 15:14:44 markus Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.99 2018/03/03 03:15:51 djm Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -351,7 +351,7 @@ mm_inform_authserv(char *service, char *style)
 /* Do the password authentication */
 int
-mm_auth_password(Authctxt *authctxt, char *password)
+mm_auth_password(struct ssh *ssh, char *password)
 {
        Buffer m;
        int authenticated = 0;
@@ -378,34 +378,38 @@ mm_auth_password(Authctxt *authctxt, char *password)
 }
 int
-mm_user_key_allowed(struct passwd *pw, struct sshkey *key,
+mm_user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
-    int pubkey_auth_attempt)
+    int pubkey_auth_attempt, struct sshauthopt **authoptp)
 {
        return (mm_key_allowed(MM_USERKEY, NULL, NULL, key,
-            pubkey_auth_attempt));
+            pubkey_auth_attempt, authoptp));
 }
 int
 mm_hostbased_key_allowed(struct passwd *pw, const char *user, const char *host,
    struct sshkey *key)
 {
-        return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0));
+        return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0, NULL));
 }
 int
 mm_key_allowed(enum mm_keytype type, const char *user, const char *host,
-    struct sshkey *key, int pubkey_auth_attempt)
+    struct sshkey *key, int pubkey_auth_attempt, struct sshauthopt **authoptp)
 {
        Buffer m;
        u_char *blob;
        u_int len;
-        int allowed = 0, have_forced = 0;
+        int r, allowed = 0;
+        struct sshauthopt *opts = NULL;
        debug3("%s entering", __func__);
+        if (authoptp != NULL)
+                *authoptp = NULL;
        /* Convert the key to a blob and the pass it over */
        if (!key_to_blob(key, &blob, &len))
-                return (0);
+                return 0;
        buffer_init(&m);
        buffer_put_int(&m, type);
@@ -418,18 +422,24 @@ mm_key_allowed(enum mm_keytype type, const char *user, const char *host,
        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m);
        debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__);
-        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYALLOWED, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd,
+            MONITOR_ANS_KEYALLOWED, &m);
        allowed = buffer_get_int(&m);
+        if (allowed && type == MM_USERKEY) {
-        /* fake forced command */
+                if ((r = sshauthopt_deserialise(&m, &opts)) != 0)
-        auth_clear_options();
+                        fatal("%s: sshauthopt_deserialise: %s",
-        have_forced = buffer_get_int(&m);
+                            __func__, ssh_err(r));
-        forced_command = have_forced ? xstrdup("true") : NULL;
+        }
        buffer_free(&m);
-        return (allowed);
+        if (authoptp != NULL) {
+                *authoptp = opts;
+                opts = NULL;
+        }
+        sshauthopt_free(opts);
+        return allowed;
 }
 /*
author	djm@openbsd.org <djm@openbsd.org>	2018-03-03 03:15:51 +0000
committer	Damien Miller <djm@mindrot.org>	2018-03-03 14:37:16 +1100
commit	7c856857607112a3dfe6414696bf4c7ab7fb0cb3 (patch)
tree	48c837fc9c9e11d64862d4f54c1a886b54d8721c /monitor_wrap.c
parent	90c4bec8b5f9ec4c003ae4abdf13fc7766f00c8b (diff)

diff --git a/monitor_wrap.c b/monitor_wrap.c index cce318bc5..9666bda4b 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: monitor_wrap.c,v 1.98 2018/01/08 15:14:44 markus Exp $ */	1	/* $OpenBSD: monitor_wrap.c,v 1.99 2018/03/03 03:15:51 djm Exp $ */
2	/*	2	/*
3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>	3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>
4	* Copyright 2002 Markus Friedl <markus@openbsd.org>	4	* Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -351,7 +351,7 @@ mm_inform_authserv(char service, char style)
351		351
352	/* Do the password authentication */	352	/* Do the password authentication */
353	int	353	int
354	mm_auth_password(Authctxt authctxt, char password)	354	mm_auth_password(struct ssh ssh, char password)
355	{	355	{
356	Buffer m;	356	Buffer m;
357	int authenticated = 0;	357	int authenticated = 0;
@@ -378,34 +378,38 @@ mm_auth_password(Authctxt authctxt, char password)
378	}	378	}
379		379
380	int	380	int
381	mm_user_key_allowed(struct passwd pw, struct sshkey key,	381	mm_user_key_allowed(struct ssh ssh, struct passwd pw, struct sshkey *key,
382	int pubkey_auth_attempt)	382	int pubkey_auth_attempt, struct sshauthopt **authoptp)
383	{	383	{
384	return (mm_key_allowed(MM_USERKEY, NULL, NULL, key,	384	return (mm_key_allowed(MM_USERKEY, NULL, NULL, key,
385	pubkey_auth_attempt));	385	pubkey_auth_attempt, authoptp));
386	}	386	}
387		387
388	int	388	int
389	mm_hostbased_key_allowed(struct passwd pw, const char user, const char *host,	389	mm_hostbased_key_allowed(struct passwd pw, const char user, const char *host,
390	struct sshkey *key)	390	struct sshkey *key)
391	{	391	{
392	return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0));	392	return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0, NULL));
393	}	393	}
394		394
395	int	395	int
396	mm_key_allowed(enum mm_keytype type, const char user, const char host,	396	mm_key_allowed(enum mm_keytype type, const char user, const char host,
397	struct sshkey *key, int pubkey_auth_attempt)	397	struct sshkey key, int pubkey_auth_attempt, struct sshauthopt *authoptp)
398	{	398	{
399	Buffer m;	399	Buffer m;
400	u_char *blob;	400	u_char *blob;
401	u_int len;	401	u_int len;
402	int allowed = 0, have_forced = 0;	402	int r, allowed = 0;
		403	struct sshauthopt *opts = NULL;
403		404
404	debug3("%s entering", __func__);	405	debug3("%s entering", __func__);
405		406
		407	if (authoptp != NULL)
		408	*authoptp = NULL;
		409
406	/* Convert the key to a blob and the pass it over */	410	/* Convert the key to a blob and the pass it over */
407	if (!key_to_blob(key, &blob, &len))	411	if (!key_to_blob(key, &blob, &len))
408	return (0);	412	return 0;
409		413
410	buffer_init(&m);	414	buffer_init(&m);
411	buffer_put_int(&m, type);	415	buffer_put_int(&m, type);
@@ -418,18 +422,24 @@ mm_key_allowed(enum mm_keytype type, const char user, const char host,
418	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m);	422	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m);
419		423
420	debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__);	424	debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__);
421	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYALLOWED, &m);	425	mm_request_receive_expect(pmonitor->m_recvfd,
		426	MONITOR_ANS_KEYALLOWED, &m);
422		427
423	allowed = buffer_get_int(&m);	428	allowed = buffer_get_int(&m);
424		429	if (allowed && type == MM_USERKEY) {
425	/* fake forced command */	430	if ((r = sshauthopt_deserialise(&m, &opts)) != 0)
426	auth_clear_options();	431	fatal("%s: sshauthopt_deserialise: %s",
427	have_forced = buffer_get_int(&m);	432	__func__, ssh_err(r));
428	forced_command = have_forced ? xstrdup("true") : NULL;	433	}
429
430	buffer_free(&m);	434	buffer_free(&m);
431		435
432	return (allowed);	436	if (authoptp != NULL) {
		437	*authoptp = opts;
		438	opts = NULL;
		439	}
		440	sshauthopt_free(opts);
		441
		442	return allowed;
433	}	443	}
434		444
435	/*	445	/*