1*19261079SEd Maste /* $OpenBSD: auth-options.h,v 1.31 2021/07/23 03:57:20 djm Exp $ */ 2ae1f160dSDag-Erling Smørgrav 3b66f2d16SKris Kennaway /* 447dd1d1bSDag-Erling Smørgrav * Copyright (c) 2018 Damien Miller <djm@mindrot.org> 5b66f2d16SKris Kennaway * 647dd1d1bSDag-Erling Smørgrav * Permission to use, copy, modify, and distribute this software for any 747dd1d1bSDag-Erling Smørgrav * purpose with or without fee is hereby granted, provided that the above 847dd1d1bSDag-Erling Smørgrav * copyright notice and this permission notice appear in all copies. 947dd1d1bSDag-Erling Smørgrav * 1047dd1d1bSDag-Erling Smørgrav * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 1147dd1d1bSDag-Erling Smørgrav * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 1247dd1d1bSDag-Erling Smørgrav * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 1347dd1d1bSDag-Erling Smørgrav * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 1447dd1d1bSDag-Erling Smørgrav * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 1547dd1d1bSDag-Erling Smørgrav * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 1647dd1d1bSDag-Erling Smørgrav * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17b66f2d16SKris Kennaway */ 185b9b2fafSBrian Feldman 19b66f2d16SKris Kennaway #ifndef AUTH_OPTIONS_H 20b66f2d16SKris Kennaway #define AUTH_OPTIONS_H 211e8db6e2SBrian Feldman 2247dd1d1bSDag-Erling Smørgrav struct passwd; 2347dd1d1bSDag-Erling Smørgrav struct sshkey; 2447dd1d1bSDag-Erling Smørgrav 25*19261079SEd Maste /* Maximum number of permitopen/permitlisten directives to accept */ 26*19261079SEd Maste #define SSH_AUTHOPT_PERMIT_MAX 4096 27*19261079SEd Maste 28*19261079SEd Maste /* Maximum number of environment directives to accept */ 29*19261079SEd Maste #define SSH_AUTHOPT_ENV_MAX 1024 30*19261079SEd Maste 3147dd1d1bSDag-Erling Smørgrav /* 3247dd1d1bSDag-Erling Smørgrav * sshauthopt represents key options parsed from authorized_keys or 3347dd1d1bSDag-Erling Smørgrav * from certificate extensions/options. 3447dd1d1bSDag-Erling Smørgrav */ 3547dd1d1bSDag-Erling Smørgrav struct sshauthopt { 3647dd1d1bSDag-Erling Smørgrav /* Feature flags */ 3747dd1d1bSDag-Erling Smørgrav int permit_port_forwarding_flag; 3847dd1d1bSDag-Erling Smørgrav int permit_agent_forwarding_flag; 3947dd1d1bSDag-Erling Smørgrav int permit_x11_forwarding_flag; 4047dd1d1bSDag-Erling Smørgrav int permit_pty_flag; 4147dd1d1bSDag-Erling Smørgrav int permit_user_rc; 4247dd1d1bSDag-Erling Smørgrav 4347dd1d1bSDag-Erling Smørgrav /* "restrict" keyword was invoked */ 4447dd1d1bSDag-Erling Smørgrav int restricted; 4547dd1d1bSDag-Erling Smørgrav 4647dd1d1bSDag-Erling Smørgrav /* key/principal expiry date */ 4747dd1d1bSDag-Erling Smørgrav uint64_t valid_before; 4847dd1d1bSDag-Erling Smørgrav 4947dd1d1bSDag-Erling Smørgrav /* Certificate-related options */ 5047dd1d1bSDag-Erling Smørgrav int cert_authority; 5147dd1d1bSDag-Erling Smørgrav char *cert_principals; 5247dd1d1bSDag-Erling Smørgrav 5347dd1d1bSDag-Erling Smørgrav int force_tun_device; 5447dd1d1bSDag-Erling Smørgrav char *force_command; 5547dd1d1bSDag-Erling Smørgrav 5647dd1d1bSDag-Erling Smørgrav /* Custom environment */ 5747dd1d1bSDag-Erling Smørgrav size_t nenv; 5847dd1d1bSDag-Erling Smørgrav char **env; 5947dd1d1bSDag-Erling Smørgrav 6047dd1d1bSDag-Erling Smørgrav /* Permitted port forwardings */ 6147dd1d1bSDag-Erling Smørgrav size_t npermitopen; 6247dd1d1bSDag-Erling Smørgrav char **permitopen; 6347dd1d1bSDag-Erling Smørgrav 64190cef3dSDag-Erling Smørgrav /* Permitted listens (remote forwarding) */ 65190cef3dSDag-Erling Smørgrav size_t npermitlisten; 66190cef3dSDag-Erling Smørgrav char **permitlisten; 67190cef3dSDag-Erling Smørgrav 6847dd1d1bSDag-Erling Smørgrav /* 6947dd1d1bSDag-Erling Smørgrav * Permitted host/addresses (comma-separated) 7047dd1d1bSDag-Erling Smørgrav * Caller must check source address matches both lists (if present). 7147dd1d1bSDag-Erling Smørgrav */ 7247dd1d1bSDag-Erling Smørgrav char *required_from_host_cert; 7347dd1d1bSDag-Erling Smørgrav char *required_from_host_keys; 74*19261079SEd Maste 75*19261079SEd Maste /* Key requires user presence asserted */ 76*19261079SEd Maste int no_require_user_presence; 77*19261079SEd Maste /* Key requires user verification (e.g. PIN) */ 78*19261079SEd Maste int require_verify; 791e8db6e2SBrian Feldman }; 801e8db6e2SBrian Feldman 8147dd1d1bSDag-Erling Smørgrav struct sshauthopt *sshauthopt_new(void); 8247dd1d1bSDag-Erling Smørgrav struct sshauthopt *sshauthopt_new_with_keys_defaults(void); 8347dd1d1bSDag-Erling Smørgrav void sshauthopt_free(struct sshauthopt *opts); 8447dd1d1bSDag-Erling Smørgrav struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig); 8547dd1d1bSDag-Erling Smørgrav int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int); 8647dd1d1bSDag-Erling Smørgrav int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts); 87b66f2d16SKris Kennaway 8847dd1d1bSDag-Erling Smørgrav /* 8947dd1d1bSDag-Erling Smørgrav * Parse authorized_keys options. Returns an options structure on success 9047dd1d1bSDag-Erling Smørgrav * or NULL on failure. Will set errstr on failure. 9147dd1d1bSDag-Erling Smørgrav */ 9247dd1d1bSDag-Erling Smørgrav struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr); 9347dd1d1bSDag-Erling Smørgrav 9447dd1d1bSDag-Erling Smørgrav /* 9547dd1d1bSDag-Erling Smørgrav * Parse certification options to a struct sshauthopt. 9647dd1d1bSDag-Erling Smørgrav * Returns options on success or NULL on failure. 9747dd1d1bSDag-Erling Smørgrav */ 9847dd1d1bSDag-Erling Smørgrav struct sshauthopt *sshauthopt_from_cert(struct sshkey *k); 9947dd1d1bSDag-Erling Smørgrav 10047dd1d1bSDag-Erling Smørgrav /* 10147dd1d1bSDag-Erling Smørgrav * Merge key options. 10247dd1d1bSDag-Erling Smørgrav */ 10347dd1d1bSDag-Erling Smørgrav struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary, 10447dd1d1bSDag-Erling Smørgrav const struct sshauthopt *additional, const char **errstrp); 1055b9b2fafSBrian Feldman 106b66f2d16SKris Kennaway #endif 107