jcs.org
jcs's openbsd hax
openbsd
1/* $OpenBSD: auth-options.h,v 1.31 2021/07/23 03:57:20 djm Exp $ */
2
3/*
4 * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19#ifndef AUTH_OPTIONS_H
20#define AUTH_OPTIONS_H
21
22struct passwd;
23struct sshkey;
24
25/* Maximum number of permitopen/permitlisten directives to accept */
26#define SSH_AUTHOPT_PERMIT_MAX 4096
27
28/* Maximum number of environment directives to accept */
29#define SSH_AUTHOPT_ENV_MAX 1024
30
31/*
32 * sshauthopt represents key options parsed from authorized_keys or
33 * from certificate extensions/options.
34 */
35struct sshauthopt {
36 /* Feature flags */
37 int permit_port_forwarding_flag;
38 int permit_agent_forwarding_flag;
39 int permit_x11_forwarding_flag;
40 int permit_pty_flag;
41 int permit_user_rc;
42
43 /* "restrict" keyword was invoked */
44 int restricted;
45
46 /* key/principal expiry date */
47 uint64_t valid_before;
48
49 /* Certificate-related options */
50 int cert_authority;
51 char *cert_principals;
52
53 int force_tun_device;
54 char *force_command;
55
56 /* Custom environment */
57 size_t nenv;
58 char **env;
59
60 /* Permitted port forwardings */
61 size_t npermitopen;
62 char **permitopen;
63
64 /* Permitted listens (remote forwarding) */
65 size_t npermitlisten;
66 char **permitlisten;
67
68 /*
69 * Permitted host/addresses (comma-separated)
70 * Caller must check source address matches both lists (if present).
71 */
72 char *required_from_host_cert;
73 char *required_from_host_keys;
74
75 /* Key requires user presence asserted */
76 int no_require_user_presence;
77 /* Key requires user verification (e.g. PIN) */
78 int require_verify;
79};
80
81struct sshauthopt *sshauthopt_new(void);
82struct sshauthopt *sshauthopt_new_with_keys_defaults(void);
83void sshauthopt_free(struct sshauthopt *opts);
84struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig);
85int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int);
86int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts);
87
88/*
89 * Parse authorized_keys options. Returns an options structure on success
90 * or NULL on failure. Will set errstr on failure.
91 */
92struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr);
93
94/*
95 * Parse certification options to a struct sshauthopt.
96 * Returns options on success or NULL on failure.
97 */
98struct sshauthopt *sshauthopt_from_cert(struct sshkey *k);
99
100/*
101 * Merge key options.
102 */
103struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary,
104 const struct sshauthopt *additional, const char **errstrp);
105
106#endif