1 /*        $NetBSD: auth-options.h,v 1.15 2021/09/02 11:26:17 christos Exp $     */
2 /* $OpenBSD: auth-options.h,v 1.31 2021/07/23 03:57:20 djm Exp $ */
3 
4 /*
5  * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 #ifndef AUTH_OPTIONS_H
21 #define AUTH_OPTIONS_H
22 
23 struct passwd;
24 struct sshkey;
25 
26 /* Maximum number of permitopen/permitlisten directives to accept */
27 #define SSH_AUTHOPT_PERMIT_MAX          4096
28 
29 /* Maximum number of environment directives to accept */
30 #define SSH_AUTHOPT_ENV_MAX   1024
31 
32 /*
33  * sshauthopt represents key options parsed from authorized_keys or
34  * from certificate extensions/options.
35  */
36 struct sshauthopt {
37           /* Feature flags */
38           int permit_port_forwarding_flag;
39           int permit_agent_forwarding_flag;
40           int permit_x11_forwarding_flag;
41           int permit_pty_flag;
42           int permit_user_rc;
43 
44           /* "restrict" keyword was invoked */
45           int restricted;
46 
47           /* key/principal expiry date */
48           uint64_t valid_before;
49 
50           /* Certificate-related options */
51           int cert_authority;
52           char *cert_principals;
53 
54           int force_tun_device;
55           char *force_command;
56 
57           /* Custom environment */
58           size_t nenv;
59           char **env;
60 
61           /* Permitted port forwardings */
62           size_t npermitopen;
63           char **permitopen;
64 
65           /* Permitted listens (remote forwarding) */
66           size_t npermitlisten;
67           char **permitlisten;
68 
69           /*
70            * Permitted host/addresses (comma-separated)
71            * Caller must check source address matches both lists (if present).
72            */
73           char *required_from_host_cert;
74           char *required_from_host_keys;
75 
76           /* Key requires user presence asserted */
77           int no_require_user_presence;
78           /* Key requires user verification (e.g. PIN) */
79           int require_verify;
80 };
81 
82 struct sshauthopt *sshauthopt_new(void);
83 struct sshauthopt *sshauthopt_new_with_keys_defaults(void);
84 void sshauthopt_free(struct sshauthopt *opts);
85 struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig);
86 int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int);
87 int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts);
88 
89 /*
90  * Parse authorized_keys options. Returns an options structure on success
91  * or NULL on failure. Will set errstr on failure.
92  */
93 struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr);
94 
95 /*
96  * Parse certification options to a struct sshauthopt.
97  * Returns options on success or NULL on failure.
98  */
99 struct sshauthopt *sshauthopt_from_cert(struct sshkey *k);
100 
101 /*
102  * Merge key options.
103  */
104 struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary,
105     const struct sshauthopt *additional, const char **errstrp);
106 
107 #endif
108