upstream: switch over to the new authorized_keys options API and

remove the legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df

1 files changed, 27 insertions, 17 deletions

diff --git a/monitor_wrap.c b/monitor_wrap.c
index cce318bc..9666bda4 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.98 2018/01/08 15:14:44 markus Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.99 2018/03/03 03:15:51 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -351,7 +351,7 @@ mm_inform_authserv(char *service, char *style)
 
 /* Do the password authentication */
 int
-mm_auth_password(Authctxt *authctxt, char *password)
+mm_auth_password(struct ssh *ssh, char *password)
 {
 	Buffer m;
 	int authenticated = 0;
@@ -378,34 +378,38 @@ mm_auth_password(Authctxt *authctxt, char *password)
 }
 
 int
-mm_user_key_allowed(struct passwd *pw, struct sshkey *key,
-    int pubkey_auth_attempt)
+mm_user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
+    int pubkey_auth_attempt, struct sshauthopt **authoptp)
 {
 	return (mm_key_allowed(MM_USERKEY, NULL, NULL, key,
-	    pubkey_auth_attempt));
+	    pubkey_auth_attempt, authoptp));
 }
 
 int
 mm_hostbased_key_allowed(struct passwd *pw, const char *user, const char *host,
     struct sshkey *key)
 {
-	return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0));
+	return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0, NULL));
 }
 
 int
 mm_key_allowed(enum mm_keytype type, const char *user, const char *host,
-    struct sshkey *key, int pubkey_auth_attempt)
+    struct sshkey *key, int pubkey_auth_attempt, struct sshauthopt **authoptp)
 {
 	Buffer m;
 	u_char *blob;
 	u_int len;
-	int allowed = 0, have_forced = 0;
+	int r, allowed = 0;
+	struct sshauthopt *opts = NULL;
 
 	debug3("%s entering", __func__);
 
+	if (authoptp != NULL)
+		*authoptp = NULL;
+
 	/* Convert the key to a blob and the pass it over */
 	if (!key_to_blob(key, &blob, &len))
-		return (0);
+		return 0;
 
 	buffer_init(&m);
 	buffer_put_int(&m, type);
@@ -418,18 +422,24 @@ mm_key_allowed(enum mm_keytype type, const char *user, const char *host,
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m);
 
 	debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYALLOWED, &m);
+	mm_request_receive_expect(pmonitor->m_recvfd,
+	    MONITOR_ANS_KEYALLOWED, &m);
 
 	allowed = buffer_get_int(&m);
-
-	/* fake forced command */
-	auth_clear_options();
-	have_forced = buffer_get_int(&m);
-	forced_command = have_forced ? xstrdup("true") : NULL;
-
+	if (allowed && type == MM_USERKEY) {
+		if ((r = sshauthopt_deserialise(&m, &opts)) != 0)
+			fatal("%s: sshauthopt_deserialise: %s",
+			    __func__, ssh_err(r));
+	}
 	buffer_free(&m);
 
-	return (allowed);
+	if (authoptp != NULL) {
+		*authoptp = opts;
+		opts = NULL;
+	}
+	sshauthopt_free(opts);
+
+	return allowed;
 }
 
 /*