| djm@openbsd.org | 93c06ab | 2018-06-06 18:23:32 +0000 | [diff] [blame] | 1 | /* $OpenBSD: auth-options.h,v 1.27 2018/06/06 18:23:32 djm Exp $ */ |
| Ben Lindstrom | 05764b9 | 2002-03-05 01:53:02 +0000 | [diff] [blame] | 2 | |
| Damien Miller | e4340be | 2000-09-16 13:29:08 +1100 | [diff] [blame] | 3 | /* |
| djm@openbsd.org | 7c85685 | 2018-03-03 03:15:51 +0000 | [diff] [blame] | 4 | * Copyright (c) 2018 Damien Miller <djm@mindrot.org> |
| Damien Miller | e4340be | 2000-09-16 13:29:08 +1100 | [diff] [blame] | 5 | * |
| djm@openbsd.org | 7c85685 | 2018-03-03 03:15:51 +0000 | [diff] [blame] | 6 | * Permission to use, copy, modify, and distribute this software for any |
| 7 | * purpose with or without fee is hereby granted, provided that the above |
| 8 | * copyright notice and this permission notice appear in all copies. |
| 9 | * |
| 10 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| 11 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| 12 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
| 13 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| 14 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
| 15 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| 16 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| Damien Miller | e4340be | 2000-09-16 13:29:08 +1100 | [diff] [blame] | 17 | */ |
| Damien Miller | 389edc4 | 2000-11-06 12:39:34 +1100 | [diff] [blame] | 18 | |
| Damien Miller | f6d9e22 | 2000-06-18 14:50:44 +1000 | [diff] [blame] | 19 | #ifndef AUTH_OPTIONS_H |
| 20 | #define AUTH_OPTIONS_H |
| Ben Lindstrom | 226cfa0 | 2001-01-22 05:34:40 +0000 | [diff] [blame] | 21 | |
| djm@openbsd.org | 90c4bec | 2018-03-03 03:06:02 +0000 | [diff] [blame] | 22 | struct passwd; |
| 23 | struct sshkey; |
| 24 | |
| djm@openbsd.org | 90c4bec | 2018-03-03 03:06:02 +0000 | [diff] [blame] | 25 | /* |
| 26 | * sshauthopt represents key options parsed from authorized_keys or |
| 27 | * from certificate extensions/options. |
| 28 | */ |
| 29 | struct sshauthopt { |
| 30 | /* Feature flags */ |
| 31 | int permit_port_forwarding_flag; |
| 32 | int permit_agent_forwarding_flag; |
| 33 | int permit_x11_forwarding_flag; |
| 34 | int permit_pty_flag; |
| 35 | int permit_user_rc; |
| 36 | |
| 37 | /* "restrict" keyword was invoked */ |
| 38 | int restricted; |
| 39 | |
| djm@openbsd.org | bf0fbf2 | 2018-03-12 00:52:01 +0000 | [diff] [blame] | 40 | /* key/principal expiry date */ |
| 41 | uint64_t valid_before; |
| 42 | |
| djm@openbsd.org | 90c4bec | 2018-03-03 03:06:02 +0000 | [diff] [blame] | 43 | /* Certificate-related options */ |
| 44 | int cert_authority; |
| 45 | char *cert_principals; |
| 46 | |
| 47 | int force_tun_device; |
| 48 | char *force_command; |
| 49 | |
| 50 | /* Custom environment */ |
| 51 | size_t nenv; |
| 52 | char **env; |
| 53 | |
| 54 | /* Permitted port forwardings */ |
| 55 | size_t npermitopen; |
| 56 | char **permitopen; |
| 57 | |
| djm@openbsd.org | 93c06ab | 2018-06-06 18:23:32 +0000 | [diff] [blame] | 58 | /* Permitted listens (remote forwarding) */ |
| 59 | size_t npermitlisten; |
| 60 | char **permitlisten; |
| 61 | |
| djm@openbsd.org | 90c4bec | 2018-03-03 03:06:02 +0000 | [diff] [blame] | 62 | /* |
| 63 | * Permitted host/addresses (comma-separated) |
| 64 | * Caller must check source address matches both lists (if present). |
| 65 | */ |
| 66 | char *required_from_host_cert; |
| 67 | char *required_from_host_keys; |
| 68 | }; |
| 69 | |
| 70 | struct sshauthopt *sshauthopt_new(void); |
| 71 | struct sshauthopt *sshauthopt_new_with_keys_defaults(void); |
| 72 | void sshauthopt_free(struct sshauthopt *opts); |
| 73 | struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig); |
| 74 | int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int); |
| 75 | int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts); |
| 76 | |
| 77 | /* |
| 78 | * Parse authorized_keys options. Returns an options structure on success |
| 79 | * or NULL on failure. Will set errstr on failure. |
| 80 | */ |
| 81 | struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr); |
| 82 | |
| 83 | /* |
| 84 | * Parse certification options to a struct sshauthopt. |
| 85 | * Returns options on success or NULL on failure. |
| 86 | */ |
| 87 | struct sshauthopt *sshauthopt_from_cert(struct sshkey *k); |
| 88 | |
| 89 | /* |
| 90 | * Merge key options. |
| 91 | */ |
| 92 | struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary, |
| 93 | const struct sshauthopt *additional, const char **errstrp); |
| 94 | |
| Damien Miller | f6d9e22 | 2000-06-18 14:50:44 +1000 | [diff] [blame] | 95 | #endif |