1 /* $NetBSD: auth-options.h,v 1.15 2021/09/02 11:26:17 christos Exp $ */ 2 /* $OpenBSD: auth-options.h,v 1.31 2021/07/23 03:57:20 djm Exp $ */ 3 4 /* 5 * Copyright (c) 2018 Damien Miller <djm@mindrot.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #ifndef AUTH_OPTIONS_H 21 #define AUTH_OPTIONS_H 22 23 struct passwd; 24 struct sshkey; 25 26 /* Maximum number of permitopen/permitlisten directives to accept */ 27 #define SSH_AUTHOPT_PERMIT_MAX 4096 28 29 /* Maximum number of environment directives to accept */ 30 #define SSH_AUTHOPT_ENV_MAX 1024 31 32 /* 33 * sshauthopt represents key options parsed from authorized_keys or 34 * from certificate extensions/options. 35 */ 36 struct sshauthopt { 37 /* Feature flags */ 38 int permit_port_forwarding_flag; 39 int permit_agent_forwarding_flag; 40 int permit_x11_forwarding_flag; 41 int permit_pty_flag; 42 int permit_user_rc; 43 44 /* "restrict" keyword was invoked */ 45 int restricted; 46 47 /* key/principal expiry date */ 48 uint64_t valid_before; 49 50 /* Certificate-related options */ 51 int cert_authority; 52 char *cert_principals; 53 54 int force_tun_device; 55 char *force_command; 56 57 /* Custom environment */ 58 size_t nenv; 59 char **env; 60 61 /* Permitted port forwardings */ 62 size_t npermitopen; 63 char **permitopen; 64 65 /* Permitted listens (remote forwarding) */ 66 size_t npermitlisten; 67 char **permitlisten; 68 69 /* 70 * Permitted host/addresses (comma-separated) 71 * Caller must check source address matches both lists (if present). 72 */ 73 char *required_from_host_cert; 74 char *required_from_host_keys; 75 76 /* Key requires user presence asserted */ 77 int no_require_user_presence; 78 /* Key requires user verification (e.g. PIN) */ 79 int require_verify; 80 }; 81 82 struct sshauthopt *sshauthopt_new(void); 83 struct sshauthopt *sshauthopt_new_with_keys_defaults(void); 84 void sshauthopt_free(struct sshauthopt *opts); 85 struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig); 86 int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int); 87 int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts); 88 89 /* 90 * Parse authorized_keys options. Returns an options structure on success 91 * or NULL on failure. Will set errstr on failure. 92 */ 93 struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr); 94 95 /* 96 * Parse certification options to a struct sshauthopt. 97 * Returns options on success or NULL on failure. 98 */ 99 struct sshauthopt *sshauthopt_from_cert(struct sshkey *k); 100 101 /* 102 * Merge key options. 103 */ 104 struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary, 105 const struct sshauthopt *additional, const char **errstrp); 106 107 #endif 108