===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/auth-passwd.c,v
retrieving revision 1.45
retrieving revision 1.46
diff -u -r1.45 -r1.46
--- src/usr.bin/ssh/auth-passwd.c	2016/07/21 01:39:35	1.45
+++ src/usr.bin/ssh/auth-passwd.c	2018/03/03 03:15:51	1.46
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-passwd.c,v 1.45 2016/07/21 01:39:35 dtucker Exp $ */
+/* $OpenBSD: auth-passwd.c,v 1.46 2018/03/03 03:15:51 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -56,7 +56,7 @@
 
 extern Buffer loginmsg;
 extern ServerOptions options;
-int sys_auth_passwd(Authctxt *, const char *);
+int sys_auth_passwd(struct ssh *, const char *);
 
 extern login_cap_t *lc;
 
@@ -65,22 +65,15 @@
 
 #define MAX_PASSWORD_LEN	1024
 
-static void
-disable_forwarding(void)
-{
-	no_port_forwarding_flag = 1;
-	no_agent_forwarding_flag = 1;
-	no_x11_forwarding_flag = 1;
-}
-
 /*
  * Tries to authenticate the user using password.  Returns true if
  * authentication succeeds.
  */
 int
-auth_password(Authctxt *authctxt, const char *password)
+auth_password(struct ssh *ssh, const char *password)
 {
-	struct passwd * pw = authctxt->pw;
+	Authctxt *authctxt = ssh->authctxt;
+	struct passwd *pw = authctxt->pw;
 	int ok = authctxt->valid;
 
 	if (strlen(password) > MAX_PASSWORD_LEN)
@@ -98,7 +91,7 @@
 		/* Fall back to ordinary passwd authentication. */
 	}
 #endif
-	return (sys_auth_passwd(authctxt, password) && ok);
+	return (sys_auth_passwd(ssh, password) && ok);
 }
 
 static void
@@ -134,19 +127,19 @@
 }
 
 int
-sys_auth_passwd(Authctxt *authctxt, const char *password)
+sys_auth_passwd(struct ssh *ssh, const char *password)
 {
-	struct passwd *pw = authctxt->pw;
+	Authctxt *authctxt = ssh->authctxt;
 	auth_session_t *as;
 	static int expire_checked = 0;
 
-	as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
+	as = auth_usercheck(authctxt->pw->pw_name, authctxt->style, "auth-ssh",
 	    (char *)password);
 	if (as == NULL)
 		return (0);
 	if (auth_getstate(as) & AUTH_PWEXPIRED) {
 		auth_close(as);
-		disable_forwarding();
+		auth_restrict_session(ssh);
 		authctxt->force_pwchange = 1;
 		return (1);
 	} else {