1/* $OpenBSD: auth-options.h,v 1.27 2018/06/06 18:23:32 djm Exp $ */ 2 3/* 4 * Copyright (c) 2018 Damien Miller <djm@mindrot.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19#ifndef AUTH_OPTIONS_H 20#define AUTH_OPTIONS_H 21 22struct passwd; 23struct sshkey; 24 25/* 26 * sshauthopt represents key options parsed from authorized_keys or 27 * from certificate extensions/options. 28 */ 29struct sshauthopt { 30 /* Feature flags */ 31 int permit_port_forwarding_flag; 32 int permit_agent_forwarding_flag; 33 int permit_x11_forwarding_flag; 34 int permit_pty_flag; 35 int permit_user_rc; 36 37 /* "restrict" keyword was invoked */ 38 int restricted; 39 40 /* key/principal expiry date */ 41 uint64_t valid_before; 42 43 /* Certificate-related options */ 44 int cert_authority; 45 char *cert_principals; 46 47 int force_tun_device; 48 char *force_command; 49 50 /* Custom environment */ 51 size_t nenv; 52 char **env; 53 54 /* Permitted port forwardings */ 55 size_t npermitopen; 56 char **permitopen; 57 58 /* Permitted listens (remote forwarding) */ 59 size_t npermitlisten; 60 char **permitlisten; 61 62 /* 63 * Permitted host/addresses (comma-separated) 64 * Caller must check source address matches both lists (if present). 65 */ 66 char *required_from_host_cert; 67 char *required_from_host_keys; 68}; 69 70struct sshauthopt *sshauthopt_new(void); 71struct sshauthopt *sshauthopt_new_with_keys_defaults(void); 72void sshauthopt_free(struct sshauthopt *opts); 73struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig); 74int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int); 75int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts); 76 77/* 78 * Parse authorized_keys options. Returns an options structure on success 79 * or NULL on failure. Will set errstr on failure. 80 */ 81struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr); 82 83/* 84 * Parse certification options to a struct sshauthopt. 85 * Returns options on success or NULL on failure. 86 */ 87struct sshauthopt *sshauthopt_from_cert(struct sshkey *k); 88 89/* 90 * Merge key options. 91 */ 92struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary, 93 const struct sshauthopt *additional, const char **errstrp); 94 95#endif 96