summaryrefslogtreecommitdiff
path: root/ssh.h
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>1999-10-27 13:42:43 +1000
committerDamien Miller <djm@mindrot.org>1999-10-27 13:42:43 +1000
commitd4a8b7e34dd619a4debf9a206c81db26d1402ea6 (patch)
treea47d770a2f790f40d18b0982d4e55fa7cfb1fa3b /ssh.h
downloadopenssh-git-d4a8b7e34dd619a4debf9a206c81db26d1402ea6.tar.gz
Initial revision
Diffstat (limited to 'ssh.h')
-rw-r--r--ssh.h589
1 files changed, 589 insertions, 0 deletions
diff --git a/ssh.h b/ssh.h
new file mode 100644
index 00000000..a4bf136e
--- /dev/null
+++ b/ssh.h
@@ -0,0 +1,589 @@
+/*
+
+ssh.h
+
+Author: Tatu Ylonen <ylo@cs.hut.fi>
+
+Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ All rights reserved
+
+Created: Fri Mar 17 17:09:37 1995 ylo
+
+Generic header file for ssh.
+
+*/
+
+/* RCSID("$Id: ssh.h,v 1.1 1999/10/27 03:42:45 damien Exp $"); */
+
+#ifndef SSH_H
+#define SSH_H
+
+#include "rsa.h"
+#include "cipher.h"
+
+/* The default cipher used if IDEA is not supported by the remote host.
+ It is recommended that this be one of the mandatory ciphers (DES, 3DES),
+ though that is not required. */
+#define SSH_FALLBACK_CIPHER SSH_CIPHER_3DES
+
+/* Cipher used for encrypting authentication files. */
+#define SSH_AUTHFILE_CIPHER SSH_CIPHER_3DES
+
+/* Default port number. */
+#define SSH_DEFAULT_PORT 22
+
+/* Maximum number of TCP/IP ports forwarded per direction. */
+#define SSH_MAX_FORWARDS_PER_DIRECTION 100
+
+/* Maximum number of RSA authentication identity files that can be specified
+ in configuration files or on the command line. */
+#define SSH_MAX_IDENTITY_FILES 100
+
+/* Major protocol version. Different version indicates major incompatiblity
+ that prevents communication. */
+#define PROTOCOL_MAJOR 1
+
+/* Minor protocol version. Different version indicates minor incompatibility
+ that does not prevent interoperation. */
+#define PROTOCOL_MINOR 5
+
+/* Name for the service. The port named by this service overrides the default
+ port if present. */
+#define SSH_SERVICE_NAME "ssh"
+
+#ifndef ETCDIR
+#define ETCDIR "/etc"
+#endif /* ETCDIR */
+
+#define PIDDIR "/var/run"
+
+/* System-wide file containing host keys of known hosts. This file should be
+ world-readable. */
+#define SSH_SYSTEM_HOSTFILE ETCDIR "/ssh_known_hosts"
+
+/* HOST_KEY_FILE /etc/ssh_host_key,
+ SERVER_CONFIG_FILE /etc/sshd_config,
+and HOST_CONFIG_FILE /etc/ssh_config
+are all defined in Makefile.in. Of these, ssh_host_key should be readable
+only by root, whereas ssh_config should be world-readable. */
+
+#define HOST_KEY_FILE ETCDIR "/ssh_host_key"
+#define SERVER_CONFIG_FILE ETCDIR "/sshd_config"
+#define HOST_CONFIG_FILE ETCDIR "/ssh_config"
+
+#define SSH_PROGRAM "/usr/bin/ssh"
+
+/* The process id of the daemon listening for connections is saved
+ here to make it easier to kill the correct daemon when necessary. */
+#define SSH_DAEMON_PID_FILE PIDDIR "/sshd.pid"
+
+/* The directory in user\'s home directory in which the files reside.
+ The directory should be world-readable (though not all files are). */
+#define SSH_USER_DIR ".ssh"
+
+/* Per-user file containing host keys of known hosts. This file need
+ not be readable by anyone except the user him/herself, though this does
+ not contain anything particularly secret. */
+#define SSH_USER_HOSTFILE "~/.ssh/known_hosts"
+
+/* Name of the default file containing client-side authentication key.
+ This file should only be readable by the user him/herself. */
+#define SSH_CLIENT_IDENTITY ".ssh/identity"
+
+/* Configuration file in user\'s home directory. This file need not be
+ readable by anyone but the user him/herself, but does not contain
+ anything particularly secret. If the user\'s home directory resides
+ on an NFS volume where root is mapped to nobody, this may need to be
+ world-readable. */
+#define SSH_USER_CONFFILE ".ssh/config"
+
+/* File containing a list of those rsa keys that permit logging in as
+ this user. This file need not be
+ readable by anyone but the user him/herself, but does not contain
+ anything particularly secret. If the user\'s home directory resides
+ on an NFS volume where root is mapped to nobody, this may need to be
+ world-readable. (This file is read by the daemon which is running as
+ root.) */
+#define SSH_USER_PERMITTED_KEYS ".ssh/authorized_keys"
+
+/* Per-user and system-wide ssh "rc" files. These files are executed with
+ /bin/sh before starting the shell or command if they exist. They
+ will be passed "proto cookie" as arguments if X11 forwarding with
+ spoofing is in use. xauth will be run if neither of these exists. */
+#define SSH_USER_RC ".ssh/rc"
+#define SSH_SYSTEM_RC ETCDIR "/sshrc"
+
+/* Ssh-only version of /etc/hosts.equiv. */
+#define SSH_HOSTS_EQUIV ETCDIR "/shosts.equiv"
+
+/* Additionally, the daemon may use ~/.rhosts and /etc/hosts.equiv if
+ rhosts authentication is enabled. */
+
+/* Name of the environment variable containing the pathname of the
+ authentication socket. */
+#define SSH_AUTHSOCKET_ENV_NAME "SSH_AUTH_SOCK"
+
+/* Force host key length and server key length to differ by at least this
+ many bits. This is to make double encryption with rsaref work. */
+#define SSH_KEY_BITS_RESERVED 128
+
+/* Length of the session key in bytes. (Specified as 256 bits in the
+ protocol.) */
+#define SSH_SESSION_KEY_LENGTH 32
+
+/* Name of Kerberos service for SSH to use. */
+#define KRB4_SERVICE_NAME "rcmd"
+
+/* Authentication methods. New types can be added, but old types should not
+ be removed for compatibility. The maximum allowed value is 31. */
+#define SSH_AUTH_RHOSTS 1
+#define SSH_AUTH_RSA 2
+#define SSH_AUTH_PASSWORD 3
+#define SSH_AUTH_RHOSTS_RSA 4
+ /* 5 is TIS */
+#define SSH_AUTH_KERBEROS 6
+#define SSH_PASS_KERBEROS_TGT 7
+ /* 8 to 15 are reserved */
+#define SSH_PASS_AFS_TOKEN 21
+
+/* Protocol flags. These are bit masks. */
+#define SSH_PROTOFLAG_SCREEN_NUMBER 1 /* X11 forwarding includes screen */
+#define SSH_PROTOFLAG_HOST_IN_FWD_OPEN 2 /* forwarding opens contain host */
+
+/* Definition of message types. New values can be added, but old values
+ should not be removed or without careful consideration of the consequences
+ for compatibility. The maximum value is 254; value 255 is reserved
+ for future extension. */
+/* Message name */ /* msg code */ /* arguments */
+#define SSH_MSG_NONE 0 /* no message */
+#define SSH_MSG_DISCONNECT 1 /* cause (string) */
+#define SSH_SMSG_PUBLIC_KEY 2 /* ck,msk,srvk,hostk */
+#define SSH_CMSG_SESSION_KEY 3 /* key (BIGNUM) */
+#define SSH_CMSG_USER 4 /* user (string) */
+#define SSH_CMSG_AUTH_RHOSTS 5 /* user (string) */
+#define SSH_CMSG_AUTH_RSA 6 /* modulus (BIGNUM) */
+#define SSH_SMSG_AUTH_RSA_CHALLENGE 7 /* int (BIGNUM) */
+#define SSH_CMSG_AUTH_RSA_RESPONSE 8 /* int (BIGNUM) */
+#define SSH_CMSG_AUTH_PASSWORD 9 /* pass (string) */
+#define SSH_CMSG_REQUEST_PTY 10 /* TERM, tty modes */
+#define SSH_CMSG_WINDOW_SIZE 11 /* row,col,xpix,ypix */
+#define SSH_CMSG_EXEC_SHELL 12 /* */
+#define SSH_CMSG_EXEC_CMD 13 /* cmd (string) */
+#define SSH_SMSG_SUCCESS 14 /* */
+#define SSH_SMSG_FAILURE 15 /* */
+#define SSH_CMSG_STDIN_DATA 16 /* data (string) */
+#define SSH_SMSG_STDOUT_DATA 17 /* data (string) */
+#define SSH_SMSG_STDERR_DATA 18 /* data (string) */
+#define SSH_CMSG_EOF 19 /* */
+#define SSH_SMSG_EXITSTATUS 20 /* status (int) */
+#define SSH_MSG_CHANNEL_OPEN_CONFIRMATION 21 /* channel (int) */
+#define SSH_MSG_CHANNEL_OPEN_FAILURE 22 /* channel (int) */
+#define SSH_MSG_CHANNEL_DATA 23 /* ch,data (int,str) */
+#define SSH_MSG_CHANNEL_CLOSE 24 /* channel (int) */
+#define SSH_MSG_CHANNEL_CLOSE_CONFIRMATION 25 /* channel (int) */
+/* SSH_CMSG_X11_REQUEST_FORWARDING 26 OBSOLETE */
+#define SSH_SMSG_X11_OPEN 27 /* channel (int) */
+#define SSH_CMSG_PORT_FORWARD_REQUEST 28 /* p,host,hp (i,s,i) */
+#define SSH_MSG_PORT_OPEN 29 /* ch,h,p (i,s,i) */
+#define SSH_CMSG_AGENT_REQUEST_FORWARDING 30 /* */
+#define SSH_SMSG_AGENT_OPEN 31 /* port (int) */
+#define SSH_MSG_IGNORE 32 /* string */
+#define SSH_CMSG_EXIT_CONFIRMATION 33 /* */
+#define SSH_CMSG_X11_REQUEST_FORWARDING 34 /* proto,data (s,s) */
+#define SSH_CMSG_AUTH_RHOSTS_RSA 35 /* user,mod (s,mpi) */
+#define SSH_MSG_DEBUG 36 /* string */
+#define SSH_CMSG_REQUEST_COMPRESSION 37 /* level 1-9 (int) */
+#define SSH_CMSG_MAX_PACKET_SIZE 38 /* size 4k-1024k (int) */
+#define SSH_CMSG_AUTH_TIS 39 /* this is proto-1.5, but we ignore TIS */
+#define SSH_SMSG_AUTH_TIS_CHALLENGE 40
+#define SSH_CMSG_AUTH_TIS_RESPONSE 41
+
+#define SSH_CMSG_AUTH_KERBEROS 42 /* (KTEXT) */
+#define SSH_SMSG_AUTH_KERBEROS_RESPONSE 43 /* (KTEXT) */
+#define SSH_CMSG_HAVE_KERBEROS_TGT 44 /* credentials (s) */
+#define SSH_CMSG_HAVE_AFS_TOKEN 65 /* token (s) */
+
+
+/* Includes that need definitions above. */
+
+#include "readconf.h"
+
+/*------------ definitions for login.c -------------*/
+
+/* Returns the time when the user last logged in. Returns 0 if the
+ information is not available. This must be called before record_login.
+ The host from which the user logged in is stored in buf. */
+unsigned long get_last_login_time(uid_t uid, const char *logname,
+ char *buf, unsigned int bufsize);
+
+/* Records that the user has logged in. This does many things normally
+ done by login(1). */
+void record_login(int pid, const char *ttyname, const char *user, uid_t uid,
+ const char *host, struct sockaddr_in *addr);
+
+/* Records that the user has logged out. This does many thigs normally
+ done by login(1) or init. */
+void record_logout(int pid, const char *ttyname);
+
+/*------------ definitions for sshconnect.c ----------*/
+
+/* Opens a TCP/IP connection to the remote server on the given host. If
+ port is 0, the default port will be used. If anonymous is zero,
+ a privileged port will be allocated to make the connection.
+ This requires super-user privileges if anonymous is false.
+ Connection_attempts specifies the maximum number of tries, one per
+ second. This returns true on success, and zero on failure. If the
+ connection is successful, this calls packet_set_connection for the
+ connection. */
+int ssh_connect(const char *host, struct sockaddr_in *hostaddr,
+ int port, int connection_attempts,
+ int anonymous, uid_t original_real_uid,
+ const char *proxy_command);
+
+/* Starts a dialog with the server, and authenticates the current user on the
+ server. This does not need any extra privileges. The basic connection
+ to the server must already have been established before this is called.
+ If login fails, this function prints an error and never returns.
+ This initializes the random state, and leaves it initialized (it will also
+ have references from the packet module). */
+void ssh_login(int host_key_valid, RSA *host_key, const char *host,
+ struct sockaddr_in *hostaddr, Options *options,
+ uid_t original_real_uid);
+
+/*------------ Definitions for various authentication methods. -------*/
+
+/* Tries to authenticate the user using the .rhosts file. Returns true if
+ authentication succeeds. If ignore_rhosts is non-zero, this will not
+ consider .rhosts and .shosts (/etc/hosts.equiv will still be used).
+ If strict_modes is true, checks ownership and modes of .rhosts/.shosts. */
+int auth_rhosts(struct passwd *pw, const char *client_user,
+ int ignore_rhosts, int strict_modes);
+
+/* Tries to authenticate the user using the .rhosts file and the host using
+ its host key. Returns true if authentication succeeds. */
+int auth_rhosts_rsa(struct passwd *pw, const char *client_user,
+ unsigned int bits, BIGNUM *client_host_key_e,
+ BIGNUM *client_host_key_n, int ignore_rhosts,
+ int strict_modes);
+
+/* Tries to authenticate the user using password. Returns true if
+ authentication succeeds. */
+int auth_password(struct passwd *pw, const char *password);
+
+/* Performs the RSA authentication dialog with the client. This returns
+ 0 if the client could not be authenticated, and 1 if authentication was
+ successful. This may exit if there is a serious protocol violation. */
+int auth_rsa(struct passwd *pw, BIGNUM *client_n, int strict_modes);
+
+/* Parses an RSA key (number of bits, e, n) from a string. Moves the pointer
+ over the key. Skips any whitespace at the beginning and at end. */
+int auth_rsa_read_key(char **cpp, unsigned int *bitsp, BIGNUM *e, BIGNUM *n);
+
+/* Returns the name of the machine at the other end of the socket. The
+ returned string should be freed by the caller. */
+char *get_remote_hostname(int socket);
+
+/* Return the canonical name of the host in the other side of the current
+ connection (as returned by packet_get_connection). The host name is
+ cached, so it is efficient to call this several times. */
+const char *get_canonical_hostname(void);
+
+/* Returns the remote IP address as an ascii string. The value need not be
+ freed by the caller. */
+const char *get_remote_ipaddr(void);
+
+/* Returns the port number of the peer of the socket. */
+int get_peer_port(int sock);
+
+/* Returns the port number of the remote host. */
+int get_remote_port(void);
+
+/* Tries to match the host name (which must be in all lowercase) against the
+ comma-separated sequence of subpatterns (each possibly preceded by ! to
+ indicate negation). Returns true if there is a positive match; zero
+ otherwise. */
+int match_hostname(const char *host, const char *pattern, unsigned int len);
+
+/* Checks whether the given host is already in the list of our known hosts.
+ Returns HOST_OK if the host is known and has the specified key,
+ HOST_NEW if the host is not known, and HOST_CHANGED if the host is known
+ but used to have a different host key. The host must be in all lowercase. */
+typedef enum { HOST_OK, HOST_NEW, HOST_CHANGED } HostStatus;
+HostStatus check_host_in_hostfile(const char *filename,
+ const char *host, unsigned int bits,
+ BIGNUM *e, BIGNUM *n,
+ BIGNUM *ke, BIGNUM *kn);
+
+/* Appends an entry to the host file. Returns false if the entry
+ could not be appended. */
+int add_host_to_hostfile(const char *filename, const char *host,
+ unsigned int bits, BIGNUM *e, BIGNUM *n);
+
+/* Performs the RSA authentication challenge-response dialog with the client,
+ and returns true (non-zero) if the client gave the correct answer to
+ our challenge; returns zero if the client gives a wrong answer. */
+int auth_rsa_challenge_dialog(unsigned int bits, BIGNUM *e, BIGNUM *n);
+
+/* Reads a passphrase from /dev/tty with echo turned off. Returns the
+ passphrase (allocated with xmalloc). Exits if EOF is encountered.
+ If from_stdin is true, the passphrase will be read from stdin instead. */
+char *read_passphrase(const char *prompt, int from_stdin);
+
+/* Saves the authentication (private) key in a file, encrypting it with
+ passphrase. The identification of the file (lowest 64 bits of n)
+ will precede the key to provide identification of the key without
+ needing a passphrase. */
+int save_private_key(const char *filename, const char *passphrase,
+ RSA *private_key, const char *comment);
+
+/* Loads the public part of the key file (public key and comment).
+ Returns 0 if an error occurred; zero if the public key was successfully
+ read. The comment of the key is returned in comment_return if it is
+ non-NULL; the caller must free the value with xfree. */
+int load_public_key(const char *filename, RSA *pub,
+ char **comment_return);
+
+/* Loads the private key from the file. Returns 0 if an error is encountered
+ (file does not exist or is not readable, or passphrase is bad).
+ This initializes the private key. The comment of the key is returned
+ in comment_return if it is non-NULL; the caller must free the value
+ with xfree. */
+int load_private_key(const char *filename, const char *passphrase,
+ RSA *private_key, char **comment_return);
+
+/*------------ Definitions for logging. -----------------------*/
+
+/* Supported syslog facilities. */
+typedef enum
+{
+ SYSLOG_FACILITY_DAEMON,
+ SYSLOG_FACILITY_USER,
+ SYSLOG_FACILITY_AUTH,
+ SYSLOG_FACILITY_LOCAL0,
+ SYSLOG_FACILITY_LOCAL1,
+ SYSLOG_FACILITY_LOCAL2,
+ SYSLOG_FACILITY_LOCAL3,
+ SYSLOG_FACILITY_LOCAL4,
+ SYSLOG_FACILITY_LOCAL5,
+ SYSLOG_FACILITY_LOCAL6,
+ SYSLOG_FACILITY_LOCAL7
+} SyslogFacility;
+
+/* Initializes logging. If debug is non-zero, debug() will output something.
+ If quiet is non-zero, none of these will log send anything to syslog
+ (but maybe to stderr). */
+void log_init(char *av0, int on_stderr, int debug, int quiet,
+ SyslogFacility facility);
+
+/* Outputs a message to syslog or stderr, depending on the implementation.
+ The format must guarantee that the final message does not exceed 1024
+ characters. The message should not contain newline. */
+void log(const char *fmt, ...);
+
+/* Outputs a message to syslog or stderr, depending on the implementation.
+ The format must guarantee that the final message does not exceed 1024
+ characters. The message should not contain newline. */
+void debug(const char *fmt, ...);
+
+/* Outputs a message to syslog or stderr, depending on the implementation.
+ The format must guarantee that the final message does not exceed 1024
+ characters. The message should not contain newline. */
+void error(const char *fmt, ...);
+
+/* Outputs a message to syslog or stderr, depending on the implementation.
+ The format must guarantee that the final message does not exceed 1024
+ characters. The message should not contain newline.
+ This call never returns. */
+void fatal(const char *fmt, ...);
+
+/* Registers a cleanup function to be called by fatal() before exiting.
+ It is permissible to call fatal_remove_cleanup for the function itself
+ from the function. */
+void fatal_add_cleanup(void (*proc)(void *context), void *context);
+
+/* Removes a cleanup frunction to be called at fatal(). */
+void fatal_remove_cleanup(void (*proc)(void *context), void *context);
+
+/*---------------- definitions for channels ------------------*/
+
+/* Sets specific protocol options. */
+void channel_set_options(int hostname_in_open);
+
+/* Allocate a new channel object and set its type and socket. Remote_name
+ must have been allocated with xmalloc; this will free it when the channel
+ is freed. */
+int channel_allocate(int type, int sock, char *remote_name);
+
+/* Free the channel and close its socket. */
+void channel_free(int channel);
+
+/* Add any bits relevant to channels in select bitmasks. */
+void channel_prepare_select(fd_set *readset, fd_set *writeset);
+
+/* After select, perform any appropriate operations for channels which
+ have events pending. */
+void channel_after_select(fd_set *readset, fd_set *writeset);
+
+/* If there is data to send to the connection, send some of it now. */
+void channel_output_poll(void);
+
+/* This is called when a packet of type CHANNEL_DATA has just been received.
+ The message type has already been consumed, but channel number and data
+ is still there. */
+void channel_input_data(int payload_len);
+
+/* Returns true if no channel has too much buffered data. */
+int channel_not_very_much_buffered_data(void);
+
+/* This is called after receiving CHANNEL_CLOSE. */
+void channel_input_close(void);
+
+/* This is called after receiving CHANNEL_CLOSE_CONFIRMATION. */
+void channel_input_close_confirmation(void);
+
+/* This is called after receiving CHANNEL_OPEN_CONFIRMATION. */
+void channel_input_open_confirmation(void);
+
+/* This is called after receiving CHANNEL_OPEN_FAILURE from the other side. */
+void channel_input_open_failure(void);
+
+/* This closes any sockets that are listening for connections; this removes
+ any unix domain sockets. */
+void channel_stop_listening(void);
+
+/* Closes the sockets of all channels. This is used to close extra file
+ descriptors after a fork. */
+void channel_close_all(void);
+
+/* Returns the maximum file descriptor number used by the channels. */
+int channel_max_fd(void);
+
+/* Returns true if there is still an open channel over the connection. */
+int channel_still_open(void);
+
+/* Returns a string containing a list of all open channels. The list is
+ suitable for displaying to the user. It uses crlf instead of newlines.
+ The caller should free the string with xfree. */
+char *channel_open_message(void);
+
+/* Initiate forwarding of connections to local port "port" through the secure
+ channel to host:port from remote side. This never returns if there
+ was an error. */
+void channel_request_local_forwarding(int port, const char *host,
+ int remote_port);
+
+/* Initiate forwarding of connections to port "port" on remote host through
+ the secure channel to host:port from local side. This never returns
+ if there was an error. This registers that open requests for that
+ port are permitted. */
+void channel_request_remote_forwarding(int port, const char *host,
+ int remote_port);
+
+/* Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually
+ called by the server, because the user could connect to any port anyway,
+ and the server has no way to know but to trust the client anyway. */
+void channel_permit_all_opens(void);
+
+/* This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
+ listening for the port, and sends back a success reply (or disconnect
+ message if there was an error). This never returns if there was an
+ error. */
+void channel_input_port_forward_request(int is_root);
+
+/* This is called after receiving PORT_OPEN message. This attempts to connect
+ to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION or
+ CHANNEL_OPEN_FAILURE. */
+void channel_input_port_open(int payload_len);
+
+/* Creates a port for X11 connections, and starts listening for it.
+ Returns the display name, or NULL if an error was encountered. */
+char *x11_create_display(int screen);
+
+/* Creates an internet domain socket for listening for X11 connections.
+ Returns a suitable value for the DISPLAY variable, or NULL if an error
+ occurs. */
+char *x11_create_display_inet(int screen);
+
+/* This is called when SSH_SMSG_X11_OPEN is received. The packet contains
+ the remote channel number. We should do whatever we want, and respond
+ with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. */
+void x11_input_open(int payload_len);
+
+/* Requests forwarding of X11 connections. This should be called on the
+ client only. */
+void x11_request_forwarding(void);
+
+/* Requests forwarding for X11 connections, with authentication spoofing.
+ This should be called in the client only. */
+void x11_request_forwarding_with_spoofing(const char *proto, const char *data);
+
+/* Local Xauthority file (server only). */
+extern char *xauthfile;
+
+/* Sends a message to the server to request authentication fd forwarding. */
+void auth_request_forwarding(void);
+
+/* Returns the name of the forwarded authentication socket. Returns NULL
+ if there is no forwarded authentication socket. The returned value points
+ to a static buffer. */
+char *auth_get_socket_name(void);
+
+/* This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
+ This starts forwarding authentication requests. */
+void auth_input_request_forwarding(struct passwd *pw);
+
+/* This is called to process an SSH_SMSG_AGENT_OPEN message. */
+void auth_input_open_request(void);
+
+/* Returns true if the given string matches the pattern (which may contain
+ ? and * as wildcards), and zero if it does not match. */
+int match_pattern(const char *s, const char *pattern);
+
+/* Expands tildes in the file name. Returns data allocated by xmalloc.
+ Warning: this calls getpw*. */
+char *tilde_expand_filename(const char *filename, uid_t my_uid);
+
+/* Performs the interactive session. This handles data transmission between
+ the client and the program. Note that the notion of stdin, stdout, and
+ stderr in this function is sort of reversed: this function writes to
+ stdin (of the child program), and reads from stdout and stderr (of the
+ child program). */
+void server_loop(int pid, int fdin, int fdout, int fderr);
+
+/* Client side main loop for the interactive session. */
+int client_loop(int have_pty, int escape_char);
+
+/* Linked list of custom environment strings (see auth-rsa.c). */
+struct envstring {
+ struct envstring *next;
+ char *s;
+};
+
+#ifdef KRB4
+#include <krb.h>
+
+/* Performs Kerberos v4 mutual authentication with the client. This returns
+ 0 if the client could not be authenticated, and 1 if authentication was
+ successful. This may exit if there is a serious protocol violation. */
+int auth_krb4(const char *server_user, KTEXT auth, char **client);
+int ssh_tf_init(uid_t uid);
+
+#ifdef AFS
+#include <kafs.h>
+
+/* Accept passed Kerberos v4 ticket-granting ticket and AFS tokens. */
+int auth_kerberos_tgt(struct passwd *pw, const char *string);
+int auth_afs_token(char *server_user, uid_t uid, const char *string);
+
+int creds_to_radix(CREDENTIALS *creds, unsigned char *buf);
+int radix_to_creds(const char *buf, CREDENTIALS *creds);
+#endif /* AFS */
+
+#endif /* KRB4 */
+
+#ifdef SKEY
+#include <skey.h>
+char *skey_fake_keyinfo(char *username);
+#endif /* SKEY */
+
+#endif /* SSH_H */