1/* $OpenBSD: auth-options.h,v 1.31 2021/07/23 03:57:20 djm Exp $ */ 2 3/* 4 * Copyright (c) 2018 Damien Miller <djm@mindrot.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19#ifndef AUTH_OPTIONS_H 20#define AUTH_OPTIONS_H 21 22struct passwd; 23struct sshkey; 24 25/* Maximum number of permitopen/permitlisten directives to accept */ 26#define SSH_AUTHOPT_PERMIT_MAX 4096 27 28/* Maximum number of environment directives to accept */ 29#define SSH_AUTHOPT_ENV_MAX 1024 30 31/* 32 * sshauthopt represents key options parsed from authorized_keys or 33 * from certificate extensions/options. 34 */ 35struct sshauthopt { 36 /* Feature flags */ 37 int permit_port_forwarding_flag; 38 int permit_agent_forwarding_flag; 39 int permit_x11_forwarding_flag; 40 int permit_pty_flag; 41 int permit_user_rc; 42 43 /* "restrict" keyword was invoked */ 44 int restricted; 45 46 /* key/principal expiry date */ 47 uint64_t valid_before; 48 49 /* Certificate-related options */ 50 int cert_authority; 51 char *cert_principals; 52 53 int force_tun_device; 54 char *force_command; 55 56 /* Custom environment */ 57 size_t nenv; 58 char **env; 59 60 /* Permitted port forwardings */ 61 size_t npermitopen; 62 char **permitopen; 63 64 /* Permitted listens (remote forwarding) */ 65 size_t npermitlisten; 66 char **permitlisten; 67 68 /* 69 * Permitted host/addresses (comma-separated) 70 * Caller must check source address matches both lists (if present). 71 */ 72 char *required_from_host_cert; 73 char *required_from_host_keys; 74 75 /* Key requires user presence asserted */ 76 int no_require_user_presence; 77 /* Key requires user verification (e.g. PIN) */ 78 int require_verify; 79}; 80 81struct sshauthopt *sshauthopt_new(void); 82struct sshauthopt *sshauthopt_new_with_keys_defaults(void); 83void sshauthopt_free(struct sshauthopt *opts); 84struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig); 85int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int); 86int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts); 87 88/* 89 * Parse authorized_keys options. Returns an options structure on success 90 * or NULL on failure. Will set errstr on failure. 91 */ 92struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr); 93 94/* 95 * Parse certification options to a struct sshauthopt. 96 * Returns options on success or NULL on failure. 97 */ 98struct sshauthopt *sshauthopt_from_cert(struct sshkey *k); 99 100/* 101 * Merge key options. 102 */ 103struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary, 104 const struct sshauthopt *additional, const char **errstrp); 105 106#endif 107