djm@openbsd.org | 2e71263 | 2019-11-25 00:54:23 +0000 | [diff] [blame] | 1 | /* $OpenBSD: auth-options.h,v 1.29 2019/11/25 00:54:23 djm Exp $ */ |
Ben Lindstrom | 05764b9 | 2002-03-05 01:53:02 +0000 | [diff] [blame] | 2 | |
Damien Miller | e4340be | 2000-09-16 13:29:08 +1100 | [diff] [blame] | 3 | /* |
djm@openbsd.org | 7c85685 | 2018-03-03 03:15:51 +0000 | [diff] [blame] | 4 | * Copyright (c) 2018 Damien Miller <djm@mindrot.org> |
Damien Miller | e4340be | 2000-09-16 13:29:08 +1100 | [diff] [blame] | 5 | * |
djm@openbsd.org | 7c85685 | 2018-03-03 03:15:51 +0000 | [diff] [blame] | 6 | * Permission to use, copy, modify, and distribute this software for any |
| 7 | * purpose with or without fee is hereby granted, provided that the above |
| 8 | * copyright notice and this permission notice appear in all copies. |
| 9 | * |
| 10 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| 11 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| 12 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
| 13 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| 14 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
| 15 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| 16 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
Damien Miller | e4340be | 2000-09-16 13:29:08 +1100 | [diff] [blame] | 17 | */ |
Damien Miller | 389edc4 | 2000-11-06 12:39:34 +1100 | [diff] [blame] | 18 | |
Damien Miller | f6d9e22 | 2000-06-18 14:50:44 +1000 | [diff] [blame] | 19 | #ifndef AUTH_OPTIONS_H |
| 20 | #define AUTH_OPTIONS_H |
Ben Lindstrom | 226cfa0 | 2001-01-22 05:34:40 +0000 | [diff] [blame] | 21 | |
djm@openbsd.org | 90c4bec | 2018-03-03 03:06:02 +0000 | [diff] [blame] | 22 | struct passwd; |
| 23 | struct sshkey; |
| 24 | |
djm@openbsd.org | 5b2b79f | 2019-07-09 04:15:00 +0000 | [diff] [blame] | 25 | /* Maximum number of permitopen/permitlisten directives to accept */ |
| 26 | #define SSH_AUTHOPT_PERMIT_MAX 4096 |
| 27 | |
djm@openbsd.org | 90c4bec | 2018-03-03 03:06:02 +0000 | [diff] [blame] | 28 | /* |
| 29 | * sshauthopt represents key options parsed from authorized_keys or |
| 30 | * from certificate extensions/options. |
| 31 | */ |
| 32 | struct sshauthopt { |
| 33 | /* Feature flags */ |
| 34 | int permit_port_forwarding_flag; |
| 35 | int permit_agent_forwarding_flag; |
| 36 | int permit_x11_forwarding_flag; |
| 37 | int permit_pty_flag; |
| 38 | int permit_user_rc; |
| 39 | |
| 40 | /* "restrict" keyword was invoked */ |
| 41 | int restricted; |
| 42 | |
djm@openbsd.org | bf0fbf2 | 2018-03-12 00:52:01 +0000 | [diff] [blame] | 43 | /* key/principal expiry date */ |
| 44 | uint64_t valid_before; |
| 45 | |
djm@openbsd.org | 90c4bec | 2018-03-03 03:06:02 +0000 | [diff] [blame] | 46 | /* Certificate-related options */ |
| 47 | int cert_authority; |
| 48 | char *cert_principals; |
| 49 | |
| 50 | int force_tun_device; |
| 51 | char *force_command; |
| 52 | |
| 53 | /* Custom environment */ |
| 54 | size_t nenv; |
| 55 | char **env; |
| 56 | |
| 57 | /* Permitted port forwardings */ |
| 58 | size_t npermitopen; |
| 59 | char **permitopen; |
| 60 | |
djm@openbsd.org | 93c06ab | 2018-06-06 18:23:32 +0000 | [diff] [blame] | 61 | /* Permitted listens (remote forwarding) */ |
| 62 | size_t npermitlisten; |
| 63 | char **permitlisten; |
| 64 | |
djm@openbsd.org | 90c4bec | 2018-03-03 03:06:02 +0000 | [diff] [blame] | 65 | /* |
| 66 | * Permitted host/addresses (comma-separated) |
| 67 | * Caller must check source address matches both lists (if present). |
| 68 | */ |
| 69 | char *required_from_host_cert; |
| 70 | char *required_from_host_keys; |
djm@openbsd.org | 2e71263 | 2019-11-25 00:54:23 +0000 | [diff] [blame] | 71 | |
| 72 | /* Key requires user presence asserted */ |
| 73 | int no_require_user_presence; |
djm@openbsd.org | 90c4bec | 2018-03-03 03:06:02 +0000 | [diff] [blame] | 74 | }; |
| 75 | |
| 76 | struct sshauthopt *sshauthopt_new(void); |
| 77 | struct sshauthopt *sshauthopt_new_with_keys_defaults(void); |
| 78 | void sshauthopt_free(struct sshauthopt *opts); |
| 79 | struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig); |
| 80 | int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int); |
| 81 | int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts); |
| 82 | |
| 83 | /* |
| 84 | * Parse authorized_keys options. Returns an options structure on success |
| 85 | * or NULL on failure. Will set errstr on failure. |
| 86 | */ |
| 87 | struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr); |
| 88 | |
| 89 | /* |
| 90 | * Parse certification options to a struct sshauthopt. |
| 91 | * Returns options on success or NULL on failure. |
| 92 | */ |
| 93 | struct sshauthopt *sshauthopt_from_cert(struct sshkey *k); |
| 94 | |
| 95 | /* |
| 96 | * Merge key options. |
| 97 | */ |
| 98 | struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary, |
| 99 | const struct sshauthopt *additional, const char **errstrp); |
| 100 | |
Damien Miller | f6d9e22 | 2000-06-18 14:50:44 +1000 | [diff] [blame] | 101 | #endif |