crypto/openssh/auth-options.h

   1 /* $OpenBSD: auth-options.h,v 1.31 2021/07/23 03:57:20 djm Exp $ */
   2
   3 /*
   4  * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
   5  *
   6  * Permission to use, copy, modify, and distribute this software for any
   7  * purpose with or without fee is hereby granted, provided that the above
   8  * copyright notice and this permission notice appear in all copies.
   9  *
  10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  17  */
  18
  19 #ifndef AUTH_OPTIONS_H
  20 #define AUTH_OPTIONS_H
  21
  22 struct passwd;
  23 struct sshkey;
  24
  25 /* Maximum number of permitopen/permitlisten directives to accept */
  26 #define SSH_AUTHOPT_PERMIT_MAX  4096
  27
  28 /* Maximum number of environment directives to accept */
  29 #define SSH_AUTHOPT_ENV_MAX     1024
  30
  31 /*
  32  * sshauthopt represents key options parsed from authorized_keys or
  33  * from certificate extensions/options.
  34  */
  35 struct sshauthopt {
  36         /* Feature flags */
  37         int permit_port_forwarding_flag;
  38         int permit_agent_forwarding_flag;
  39         int permit_x11_forwarding_flag;
  40         int permit_pty_flag;
  41         int permit_user_rc;
  42
  43         /* "restrict" keyword was invoked */
  44         int restricted;
  45
  46         /* key/principal expiry date */
  47         uint64_t valid_before;
  48
  49         /* Certificate-related options */
  50         int cert_authority;
  51         char *cert_principals;
  52
  53         int force_tun_device;
  54         char *force_command;
  55
  56         /* Custom environment */
  57         size_t nenv;
  58         char **env;
  59
  60         /* Permitted port forwardings */
  61         size_t npermitopen;
  62         char **permitopen;
  63
  64         /* Permitted listens (remote forwarding) */
  65         size_t npermitlisten;
  66         char **permitlisten;
  67
  68         /*
  69          * Permitted host/addresses (comma-separated)
  70          * Caller must check source address matches both lists (if present).
  71          */
  72         char *required_from_host_cert;
  73         char *required_from_host_keys;
  74
  75         /* Key requires user presence asserted */
  76         int no_require_user_presence;
  77         /* Key requires user verification (e.g. PIN) */
  78         int require_verify;
  79 };
  80
  81 struct sshauthopt *sshauthopt_new(void);
  82 struct sshauthopt *sshauthopt_new_with_keys_defaults(void);
  83 void sshauthopt_free(struct sshauthopt *opts);
  84 struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig);
  85 int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int);
  86 int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts);
  87
  88 /*
  89  * Parse authorized_keys options. Returns an options structure on success
  90  * or NULL on failure. Will set errstr on failure.
  91  */
  92 struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr);
  93
  94 /*
  95  * Parse certification options to a struct sshauthopt.
  96  * Returns options on success or NULL on failure.
  97  */
  98 struct sshauthopt *sshauthopt_from_cert(struct sshkey *k);
  99
 100 /*
 101  * Merge key options.
 102  */
 103 struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary,
 104     const struct sshauthopt *additional, const char **errstrp);
 105
 106 #endif