auth-options.h 3.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104
  1. /* $OpenBSD: auth-options.h,v 1.30 2020/08/27 01:07:09 djm Exp $ */
  2. /*
  3. * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
  4. *
  5. * Permission to use, copy, modify, and distribute this software for any
  6. * purpose with or without fee is hereby granted, provided that the above
  7. * copyright notice and this permission notice appear in all copies.
  8. *
  9. * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  10. * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  11. * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  12. * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  13. * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  14. * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  15. * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  16. */
  17. #ifndef AUTH_OPTIONS_H
  18. #define AUTH_OPTIONS_H
  19. struct passwd;
  20. struct sshkey;
  21. /* Maximum number of permitopen/permitlisten directives to accept */
  22. #define SSH_AUTHOPT_PERMIT_MAX 4096
  23. /*
  24. * sshauthopt represents key options parsed from authorized_keys or
  25. * from certificate extensions/options.
  26. */
  27. struct sshauthopt {
  28. /* Feature flags */
  29. int permit_port_forwarding_flag;
  30. int permit_agent_forwarding_flag;
  31. int permit_x11_forwarding_flag;
  32. int permit_pty_flag;
  33. int permit_user_rc;
  34. /* "restrict" keyword was invoked */
  35. int restricted;
  36. /* key/principal expiry date */
  37. uint64_t valid_before;
  38. /* Certificate-related options */
  39. int cert_authority;
  40. char *cert_principals;
  41. int force_tun_device;
  42. char *force_command;
  43. /* Custom environment */
  44. size_t nenv;
  45. char **env;
  46. /* Permitted port forwardings */
  47. size_t npermitopen;
  48. char **permitopen;
  49. /* Permitted listens (remote forwarding) */
  50. size_t npermitlisten;
  51. char **permitlisten;
  52. /*
  53. * Permitted host/addresses (comma-separated)
  54. * Caller must check source address matches both lists (if present).
  55. */
  56. char *required_from_host_cert;
  57. char *required_from_host_keys;
  58. /* Key requires user presence asserted */
  59. int no_require_user_presence;
  60. /* Key requires user verification (e.g. PIN) */
  61. int require_verify;
  62. };
  63. struct sshauthopt *sshauthopt_new(void);
  64. struct sshauthopt *sshauthopt_new_with_keys_defaults(void);
  65. void sshauthopt_free(struct sshauthopt *opts);
  66. struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig);
  67. int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int);
  68. int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts);
  69. /*
  70. * Parse authorized_keys options. Returns an options structure on success
  71. * or NULL on failure. Will set errstr on failure.
  72. */
  73. struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr);
  74. /*
  75. * Parse certification options to a struct sshauthopt.
  76. * Returns options on success or NULL on failure.
  77. */
  78. struct sshauthopt *sshauthopt_from_cert(struct sshkey *k);
  79. /*
  80. * Merge key options.
  81. */
  82. struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary,
  83. const struct sshauthopt *additional, const char **errstrp);
  84. #endif