Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 7c856857607112a3dfe6414696bf4c7ab7fb0cb3^! / . / auth-passwd.c
commit7c856857607112a3dfe6414696bf4c7ab7fb0cb3[log] [tgz]
authordjm@openbsd.org <djm@openbsd.org>Sat Mar 03 03:15:51 2018 +0000
committerDamien Miller <djm@mindrot.org>Sat Mar 03 14:37:16 2018 +1100
tree48c837fc9c9e11d64862d4f54c1a886b54d8721c
parent90c4bec8b5f9ec4c003ae4abdf13fc7766f00c8b [diff] [blame]
upstream: switch over to the new authorized_keys options API and

remove the legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df

diff --git a/auth-passwd.c b/auth-passwd.c
index 996c2cf..6097fdd 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-passwd.c,v 1.45 2016/07/21 01:39:35 dtucker Exp $ */
+/* $OpenBSD: auth-passwd.c,v 1.46 2018/03/03 03:15:51 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -68,22 +68,15 @@
 
 #define MAX_PASSWORD_LEN	1024
 
-void
-disable_forwarding(void)
-{
-	no_port_forwarding_flag = 1;
-	no_agent_forwarding_flag = 1;
-	no_x11_forwarding_flag = 1;
-}
-
 /*
  * Tries to authenticate the user using password.  Returns true if
  * authentication succeeds.
  */
 int
-auth_password(Authctxt *authctxt, const char *password)
+auth_password(struct ssh *ssh, const char *password)
 {
-	struct passwd * pw = authctxt->pw;
+	Authctxt *authctxt = ssh->authctxt;
+	struct passwd *pw = authctxt->pw;
 	int result, ok = authctxt->valid;
 #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
 	static int expire_checked = 0;
@@ -128,9 +121,9 @@
 			authctxt->force_pwchange = 1;
 	}
 #endif
-	result = sys_auth_passwd(authctxt, password);
+	result = sys_auth_passwd(ssh, password);
 	if (authctxt->force_pwchange)
-		disable_forwarding();
+		auth_restrict_session(ssh);
 	return (result && ok);
 }
 
@@ -170,19 +163,19 @@
 }
 
 int
-sys_auth_passwd(Authctxt *authctxt, const char *password)
+sys_auth_passwd(struct ssh *ssh, const char *password)
 {
-	struct passwd *pw = authctxt->pw;
+	Authctxt *authctxt = ssh->authctxt;
 	auth_session_t *as;
 	static int expire_checked = 0;
 
-	as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
+	as = auth_usercheck(authctxt->pw->pw_name, authctxt->style, "auth-ssh",
 	    (char *)password);
 	if (as == NULL)
 		return (0);
 	if (auth_getstate(as) & AUTH_PWEXPIRED) {
 		auth_close(as);
-		disable_forwarding();
+		auth_restrict_session(ssh);
 		authctxt->force_pwchange = 1;
 		return (1);
 	} else {
@@ -195,8 +188,9 @@
 }
 #elif !defined(CUSTOM_SYS_AUTH_PASSWD)
 int
-sys_auth_passwd(Authctxt *authctxt, const char *password)
+sys_auth_passwd(struct ssh *ssh, const char *password)
 {
+	Authctxt *authctxt = ssh->authctxt;
 	struct passwd *pw = authctxt->pw;
 	char *encrypted_password, *salt = NULL;