xref: /netbsd-src/crypto/external/bsd/openssh/dist/auth-options.h (revision 3227e6cf668bd374971740bd6660f43cee4417ac)
1 /*	$NetBSD: auth-options.h,v 1.10 2018/04/06 18:58:59 christos Exp $	*/
2 /* $OpenBSD: auth-options.h,v 1.26 2018/03/12 00:52:01 djm Exp $ */
3 
4 /*
5  * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 #ifndef AUTH_OPTIONS_H
21 #define AUTH_OPTIONS_H
22 
23 struct passwd;
24 struct sshkey;
25 
26 /*
27  * sshauthopt represents key options parsed from authorized_keys or
28  * from certificate extensions/options.
29  */
30 struct sshauthopt {
31 	/* Feature flags */
32 	int permit_port_forwarding_flag;
33 	int permit_agent_forwarding_flag;
34 	int permit_x11_forwarding_flag;
35 	int permit_pty_flag;
36 	int permit_user_rc;
37 
38 	/* "restrict" keyword was invoked */
39 	int restricted;
40 
41 	/* key/principal expiry date */
42 	uint64_t valid_before;
43 
44 	/* Certificate-related options */
45 	int cert_authority;
46 	char *cert_principals;
47 
48 	int force_tun_device;
49 	char *force_command;
50 
51 	/* Custom environment */
52 	size_t nenv;
53 	char **env;
54 
55 	/* Permitted port forwardings */
56 	size_t npermitopen;
57 	char **permitopen;
58 
59 	/*
60 	 * Permitted host/addresses (comma-separated)
61 	 * Caller must check source address matches both lists (if present).
62 	 */
63 	char *required_from_host_cert;
64 	char *required_from_host_keys;
65 };
66 
67 struct sshauthopt *sshauthopt_new(void);
68 struct sshauthopt *sshauthopt_new_with_keys_defaults(void);
69 void sshauthopt_free(struct sshauthopt *opts);
70 struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig);
71 int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int);
72 int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts);
73 
74 /*
75  * Parse authorized_keys options. Returns an options structure on success
76  * or NULL on failure. Will set errstr on failure.
77  */
78 struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr);
79 
80 /*
81  * Parse certification options to a struct sshauthopt.
82  * Returns options on success or NULL on failure.
83  */
84 struct sshauthopt *sshauthopt_from_cert(struct sshkey *k);
85 
86 /*
87  * Merge key options.
88  */
89 struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary,
90     const struct sshauthopt *additional, const char **errstrp);
91 
92 #endif
93