1 /* $NetBSD: auth-options.h,v 1.14 2020/12/04 18:42:49 christos Exp $ */ 2 /* $OpenBSD: auth-options.h,v 1.30 2020/08/27 01:07:09 djm Exp $ */ 3 4 /* 5 * Copyright (c) 2018 Damien Miller <djm@mindrot.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #ifndef AUTH_OPTIONS_H 21 #define AUTH_OPTIONS_H 22 23 struct passwd; 24 struct sshkey; 25 26 /* Maximum number of permitopen/permitlisten directives to accept */ 27 #define SSH_AUTHOPT_PERMIT_MAX 4096 28 29 /* 30 * sshauthopt represents key options parsed from authorized_keys or 31 * from certificate extensions/options. 32 */ 33 struct sshauthopt { 34 /* Feature flags */ 35 int permit_port_forwarding_flag; 36 int permit_agent_forwarding_flag; 37 int permit_x11_forwarding_flag; 38 int permit_pty_flag; 39 int permit_user_rc; 40 41 /* "restrict" keyword was invoked */ 42 int restricted; 43 44 /* key/principal expiry date */ 45 uint64_t valid_before; 46 47 /* Certificate-related options */ 48 int cert_authority; 49 char *cert_principals; 50 51 int force_tun_device; 52 char *force_command; 53 54 /* Custom environment */ 55 size_t nenv; 56 char **env; 57 58 /* Permitted port forwardings */ 59 size_t npermitopen; 60 char **permitopen; 61 62 /* Permitted listens (remote forwarding) */ 63 size_t npermitlisten; 64 char **permitlisten; 65 66 /* 67 * Permitted host/addresses (comma-separated) 68 * Caller must check source address matches both lists (if present). 69 */ 70 char *required_from_host_cert; 71 char *required_from_host_keys; 72 73 /* Key requires user presence asserted */ 74 int no_require_user_presence; 75 /* Key requires user verification (e.g. PIN) */ 76 int require_verify; 77 }; 78 79 struct sshauthopt *sshauthopt_new(void); 80 struct sshauthopt *sshauthopt_new_with_keys_defaults(void); 81 void sshauthopt_free(struct sshauthopt *opts); 82 struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig); 83 int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int); 84 int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts); 85 86 /* 87 * Parse authorized_keys options. Returns an options structure on success 88 * or NULL on failure. Will set errstr on failure. 89 */ 90 struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr); 91 92 /* 93 * Parse certification options to a struct sshauthopt. 94 * Returns options on success or NULL on failure. 95 */ 96 struct sshauthopt *sshauthopt_from_cert(struct sshkey *k); 97 98 /* 99 * Merge key options. 100 */ 101 struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary, 102 const struct sshauthopt *additional, const char **errstrp); 103 104 #endif 105