From 7c856857607112a3dfe6414696bf4c7ab7fb0cb3 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sat, 3 Mar 2018 03:15:51 +0000 Subject: upstream: switch over to the new authorized_keys options API and remove the legacy one. Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines. feedback and ok markus@ OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df --- monitor_wrap.c | 44 +++++++++++++++++++++++++++----------------- 1 file changed, 27 insertions(+), 17 deletions(-) (limited to 'monitor_wrap.c') diff --git a/monitor_wrap.c b/monitor_wrap.c index cce318bc..9666bda4 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.98 2018/01/08 15:14:44 markus Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.99 2018/03/03 03:15:51 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -351,7 +351,7 @@ mm_inform_authserv(char *service, char *style) /* Do the password authentication */ int -mm_auth_password(Authctxt *authctxt, char *password) +mm_auth_password(struct ssh *ssh, char *password) { Buffer m; int authenticated = 0; @@ -378,34 +378,38 @@ mm_auth_password(Authctxt *authctxt, char *password) } int -mm_user_key_allowed(struct passwd *pw, struct sshkey *key, - int pubkey_auth_attempt) +mm_user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, + int pubkey_auth_attempt, struct sshauthopt **authoptp) { return (mm_key_allowed(MM_USERKEY, NULL, NULL, key, - pubkey_auth_attempt)); + pubkey_auth_attempt, authoptp)); } int mm_hostbased_key_allowed(struct passwd *pw, const char *user, const char *host, struct sshkey *key) { - return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0)); + return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0, NULL)); } int mm_key_allowed(enum mm_keytype type, const char *user, const char *host, - struct sshkey *key, int pubkey_auth_attempt) + struct sshkey *key, int pubkey_auth_attempt, struct sshauthopt **authoptp) { Buffer m; u_char *blob; u_int len; - int allowed = 0, have_forced = 0; + int r, allowed = 0; + struct sshauthopt *opts = NULL; debug3("%s entering", __func__); + if (authoptp != NULL) + *authoptp = NULL; + /* Convert the key to a blob and the pass it over */ if (!key_to_blob(key, &blob, &len)) - return (0); + return 0; buffer_init(&m); buffer_put_int(&m, type); @@ -418,18 +422,24 @@ mm_key_allowed(enum mm_keytype type, const char *user, const char *host, mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m); debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYALLOWED, &m); + mm_request_receive_expect(pmonitor->m_recvfd, + MONITOR_ANS_KEYALLOWED, &m); allowed = buffer_get_int(&m); - - /* fake forced command */ - auth_clear_options(); - have_forced = buffer_get_int(&m); - forced_command = have_forced ? xstrdup("true") : NULL; - + if (allowed && type == MM_USERKEY) { + if ((r = sshauthopt_deserialise(&m, &opts)) != 0) + fatal("%s: sshauthopt_deserialise: %s", + __func__, ssh_err(r)); + } buffer_free(&m); - return (allowed); + if (authoptp != NULL) { + *authoptp = opts; + opts = NULL; + } + sshauthopt_free(opts); + + return allowed; } /* -- cgit v1.2.1