blob: d96ffedee8b11af9454ce789fe206b4291c50063 [file] [log] [blame]
djm@openbsd.org2e712632019-11-25 00:54:23 +00001/* $OpenBSD: auth-options.h,v 1.29 2019/11/25 00:54:23 djm Exp $ */
Ben Lindstrom05764b92002-03-05 01:53:02 +00002
Damien Millere4340be2000-09-16 13:29:08 +11003/*
djm@openbsd.org7c856852018-03-03 03:15:51 +00004 * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
Damien Millere4340be2000-09-16 13:29:08 +11005 *
djm@openbsd.org7c856852018-03-03 03:15:51 +00006 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Damien Millere4340be2000-09-16 13:29:08 +110017 */
Damien Miller389edc42000-11-06 12:39:34 +110018
Damien Millerf6d9e222000-06-18 14:50:44 +100019#ifndef AUTH_OPTIONS_H
20#define AUTH_OPTIONS_H
Ben Lindstrom226cfa02001-01-22 05:34:40 +000021
djm@openbsd.org90c4bec2018-03-03 03:06:02 +000022struct passwd;
23struct sshkey;
24
djm@openbsd.org5b2b79f2019-07-09 04:15:00 +000025/* Maximum number of permitopen/permitlisten directives to accept */
26#define SSH_AUTHOPT_PERMIT_MAX 4096
27
djm@openbsd.org90c4bec2018-03-03 03:06:02 +000028/*
29 * sshauthopt represents key options parsed from authorized_keys or
30 * from certificate extensions/options.
31 */
32struct sshauthopt {
33 /* Feature flags */
34 int permit_port_forwarding_flag;
35 int permit_agent_forwarding_flag;
36 int permit_x11_forwarding_flag;
37 int permit_pty_flag;
38 int permit_user_rc;
39
40 /* "restrict" keyword was invoked */
41 int restricted;
42
djm@openbsd.orgbf0fbf22018-03-12 00:52:01 +000043 /* key/principal expiry date */
44 uint64_t valid_before;
45
djm@openbsd.org90c4bec2018-03-03 03:06:02 +000046 /* Certificate-related options */
47 int cert_authority;
48 char *cert_principals;
49
50 int force_tun_device;
51 char *force_command;
52
53 /* Custom environment */
54 size_t nenv;
55 char **env;
56
57 /* Permitted port forwardings */
58 size_t npermitopen;
59 char **permitopen;
60
djm@openbsd.org93c06ab2018-06-06 18:23:32 +000061 /* Permitted listens (remote forwarding) */
62 size_t npermitlisten;
63 char **permitlisten;
64
djm@openbsd.org90c4bec2018-03-03 03:06:02 +000065 /*
66 * Permitted host/addresses (comma-separated)
67 * Caller must check source address matches both lists (if present).
68 */
69 char *required_from_host_cert;
70 char *required_from_host_keys;
djm@openbsd.org2e712632019-11-25 00:54:23 +000071
72 /* Key requires user presence asserted */
73 int no_require_user_presence;
djm@openbsd.org90c4bec2018-03-03 03:06:02 +000074};
75
76struct sshauthopt *sshauthopt_new(void);
77struct sshauthopt *sshauthopt_new_with_keys_defaults(void);
78void sshauthopt_free(struct sshauthopt *opts);
79struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig);
80int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int);
81int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts);
82
83/*
84 * Parse authorized_keys options. Returns an options structure on success
85 * or NULL on failure. Will set errstr on failure.
86 */
87struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr);
88
89/*
90 * Parse certification options to a struct sshauthopt.
91 * Returns options on success or NULL on failure.
92 */
93struct sshauthopt *sshauthopt_from_cert(struct sshkey *k);
94
95/*
96 * Merge key options.
97 */
98struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary,
99 const struct sshauthopt *additional, const char **errstrp);
100
Damien Millerf6d9e222000-06-18 14:50:44 +1000101#endif