1 files changed, 25 insertions, 9 deletions

diff --git a/auth.h b/auth.h
index 27a1a88ec..15ba7073e 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.h,v 1.93 2017/08/18 05:36:45 djm Exp $ */
+/* $OpenBSD: auth.h,v 1.95 2018/03/03 03:15:51 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -42,9 +42,11 @@
 #include <krb5.h>
 #endif
 
+struct passwd;
 struct ssh;
-struct sshkey;
 struct sshbuf;
+struct sshkey;
+struct sshauthopt;
 
 typedef struct Authctxt Authctxt;
 typedef struct Authmethod Authmethod;
@@ -129,11 +131,12 @@ struct KbdintDevice
 int
 auth_rhosts2(struct passwd *, const char *, const char *, const char *);
 
-int      auth_password(Authctxt *, const char *);
+int      auth_password(struct ssh *, const char *);
 
 int      hostbased_key_allowed(struct passwd *, const char *, char *,
             struct sshkey *);
-int      user_key_allowed(struct passwd *, struct sshkey *, int);
+int      user_key_allowed(struct ssh *, struct passwd *, struct sshkey *, int,
+    struct sshauthopt **);
 int      auth2_key_already_used(Authctxt *, const struct sshkey *);
 
 /*
@@ -164,14 +167,12 @@ int auth_shadow_pwexpired(Authctxt *);
 #include "audit.h"
 void remove_kbdint_device(const char *);
 
-void disable_forwarding(void);
-
 void    do_authentication2(Authctxt *);
 
 void    auth_log(Authctxt *, int, int, const char *, const char *);
 void    auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn));
 void    userauth_finish(struct ssh *, int, const char *, const char *);
-int     auth_root_allowed(const char *);
+int     auth_root_allowed(struct ssh *, const char *);
 
 void    userauth_send_banner(const char *);
 
@@ -215,14 +216,29 @@ int	 get_hostkey_index(struct sshkey *, int, struct ssh *);
 int      sshd_hostkey_sign(struct sshkey *, struct sshkey *, u_char **,
              size_t *, const u_char *, size_t, const char *, u_int);
 
+/* Key / cert options linkage to auth layer */
+const struct sshauthopt *auth_options(struct ssh *);
+int      auth_activate_options(struct ssh *, struct sshauthopt *);
+void     auth_restrict_session(struct ssh *);
+int      auth_authorise_keyopts(struct ssh *, struct passwd *pw,
+    struct sshauthopt *, int, const char *);
+void     auth_log_authopts(const char *, const struct sshauthopt *, int);
+
 /* debug messages during authentication */
-void     auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
+void     auth_debug_add(const char *fmt,...)
+    __attribute__((format(printf, 1, 2)));
 void     auth_debug_send(void);
 void     auth_debug_reset(void);
 
 struct passwd *fakepw(void);
 
-int      sys_auth_passwd(Authctxt *, const char *);
+#define SSH_SUBPROCESS_STDOUT_DISCARD  (1)     /* Discard stdout */
+#define SSH_SUBPROCESS_STDOUT_CAPTURE  (1<<1)  /* Redirect stdout */
+#define SSH_SUBPROCESS_STDERR_DISCARD  (1<<2)  /* Discard stderr */
+pid_t   subprocess(const char *, struct passwd *,
+    const char *, int, char **, FILE **, u_int flags);
+
+int      sys_auth_passwd(struct ssh *, const char *);
 
 #define SKEY_PROMPT "\nS/Key Password: "