xref: /freebsd/crypto/openssh/auth-options.h (revision fe6060f10f634930ff71b7c50291ddc610da2475)
1 /* $OpenBSD: auth-options.h,v 1.31 2021/07/23 03:57:20 djm Exp $ */
2 
3 /*
4  * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #ifndef AUTH_OPTIONS_H
20 #define AUTH_OPTIONS_H
21 
22 struct passwd;
23 struct sshkey;
24 
25 /* Maximum number of permitopen/permitlisten directives to accept */
26 #define SSH_AUTHOPT_PERMIT_MAX	4096
27 
28 /* Maximum number of environment directives to accept */
29 #define SSH_AUTHOPT_ENV_MAX	1024
30 
31 /*
32  * sshauthopt represents key options parsed from authorized_keys or
33  * from certificate extensions/options.
34  */
35 struct sshauthopt {
36 	/* Feature flags */
37 	int permit_port_forwarding_flag;
38 	int permit_agent_forwarding_flag;
39 	int permit_x11_forwarding_flag;
40 	int permit_pty_flag;
41 	int permit_user_rc;
42 
43 	/* "restrict" keyword was invoked */
44 	int restricted;
45 
46 	/* key/principal expiry date */
47 	uint64_t valid_before;
48 
49 	/* Certificate-related options */
50 	int cert_authority;
51 	char *cert_principals;
52 
53 	int force_tun_device;
54 	char *force_command;
55 
56 	/* Custom environment */
57 	size_t nenv;
58 	char **env;
59 
60 	/* Permitted port forwardings */
61 	size_t npermitopen;
62 	char **permitopen;
63 
64 	/* Permitted listens (remote forwarding) */
65 	size_t npermitlisten;
66 	char **permitlisten;
67 
68 	/*
69 	 * Permitted host/addresses (comma-separated)
70 	 * Caller must check source address matches both lists (if present).
71 	 */
72 	char *required_from_host_cert;
73 	char *required_from_host_keys;
74 
75 	/* Key requires user presence asserted */
76 	int no_require_user_presence;
77 	/* Key requires user verification (e.g. PIN) */
78 	int require_verify;
79 };
80 
81 struct sshauthopt *sshauthopt_new(void);
82 struct sshauthopt *sshauthopt_new_with_keys_defaults(void);
83 void sshauthopt_free(struct sshauthopt *opts);
84 struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig);
85 int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int);
86 int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts);
87 
88 /*
89  * Parse authorized_keys options. Returns an options structure on success
90  * or NULL on failure. Will set errstr on failure.
91  */
92 struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr);
93 
94 /*
95  * Parse certification options to a struct sshauthopt.
96  * Returns options on success or NULL on failure.
97  */
98 struct sshauthopt *sshauthopt_from_cert(struct sshkey *k);
99 
100 /*
101  * Merge key options.
102  */
103 struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary,
104     const struct sshauthopt *additional, const char **errstrp);
105 
106 #endif
107