1 /* $OpenBSD: auth-options.h,v 1.29 2019/11/25 00:54:23 djm Exp $ */ 2 3 /* 4 * Copyright (c) 2018 Damien Miller <djm@mindrot.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #ifndef AUTH_OPTIONS_H 20 #define AUTH_OPTIONS_H 21 22 struct passwd; 23 struct sshkey; 24 25 /* Maximum number of permitopen/permitlisten directives to accept */ 26 #define SSH_AUTHOPT_PERMIT_MAX 4096 27 28 /* 29 * sshauthopt represents key options parsed from authorized_keys or 30 * from certificate extensions/options. 31 */ 32 struct sshauthopt { 33 /* Feature flags */ 34 int permit_port_forwarding_flag; 35 int permit_agent_forwarding_flag; 36 int permit_x11_forwarding_flag; 37 int permit_pty_flag; 38 int permit_user_rc; 39 40 /* "restrict" keyword was invoked */ 41 int restricted; 42 43 /* key/principal expiry date */ 44 uint64_t valid_before; 45 46 /* Certificate-related options */ 47 int cert_authority; 48 char *cert_principals; 49 50 int force_tun_device; 51 char *force_command; 52 53 /* Custom environment */ 54 size_t nenv; 55 char **env; 56 57 /* Permitted port forwardings */ 58 size_t npermitopen; 59 char **permitopen; 60 61 /* Permitted listens (remote forwarding) */ 62 size_t npermitlisten; 63 char **permitlisten; 64 65 /* 66 * Permitted host/addresses (comma-separated) 67 * Caller must check source address matches both lists (if present). 68 */ 69 char *required_from_host_cert; 70 char *required_from_host_keys; 71 72 /* Key requires user presence asserted */ 73 int no_require_user_presence; 74 }; 75 76 struct sshauthopt *sshauthopt_new(void); 77 struct sshauthopt *sshauthopt_new_with_keys_defaults(void); 78 void sshauthopt_free(struct sshauthopt *opts); 79 struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig); 80 int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int); 81 int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts); 82 83 /* 84 * Parse authorized_keys options. Returns an options structure on success 85 * or NULL on failure. Will set errstr on failure. 86 */ 87 struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr); 88 89 /* 90 * Parse certification options to a struct sshauthopt. 91 * Returns options on success or NULL on failure. 92 */ 93 struct sshauthopt *sshauthopt_from_cert(struct sshkey *k); 94 95 /* 96 * Merge key options. 97 */ 98 struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary, 99 const struct sshauthopt *additional, const char **errstrp); 100 101 #endif 102