mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-12 12:35:58 +08:00
801c9f095e
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it. feedback and ok markus@ OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6
104 lines
3.0 KiB
C
104 lines
3.0 KiB
C
/* $OpenBSD: auth-options.h,v 1.30 2020/08/27 01:07:09 djm Exp $ */
|
|
|
|
/*
|
|
* Copyright (c) 2018 Damien Miller <djm@mindrot.org>
|
|
*
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
*/
|
|
|
|
#ifndef AUTH_OPTIONS_H
|
|
#define AUTH_OPTIONS_H
|
|
|
|
struct passwd;
|
|
struct sshkey;
|
|
|
|
/* Maximum number of permitopen/permitlisten directives to accept */
|
|
#define SSH_AUTHOPT_PERMIT_MAX 4096
|
|
|
|
/*
|
|
* sshauthopt represents key options parsed from authorized_keys or
|
|
* from certificate extensions/options.
|
|
*/
|
|
struct sshauthopt {
|
|
/* Feature flags */
|
|
int permit_port_forwarding_flag;
|
|
int permit_agent_forwarding_flag;
|
|
int permit_x11_forwarding_flag;
|
|
int permit_pty_flag;
|
|
int permit_user_rc;
|
|
|
|
/* "restrict" keyword was invoked */
|
|
int restricted;
|
|
|
|
/* key/principal expiry date */
|
|
uint64_t valid_before;
|
|
|
|
/* Certificate-related options */
|
|
int cert_authority;
|
|
char *cert_principals;
|
|
|
|
int force_tun_device;
|
|
char *force_command;
|
|
|
|
/* Custom environment */
|
|
size_t nenv;
|
|
char **env;
|
|
|
|
/* Permitted port forwardings */
|
|
size_t npermitopen;
|
|
char **permitopen;
|
|
|
|
/* Permitted listens (remote forwarding) */
|
|
size_t npermitlisten;
|
|
char **permitlisten;
|
|
|
|
/*
|
|
* Permitted host/addresses (comma-separated)
|
|
* Caller must check source address matches both lists (if present).
|
|
*/
|
|
char *required_from_host_cert;
|
|
char *required_from_host_keys;
|
|
|
|
/* Key requires user presence asserted */
|
|
int no_require_user_presence;
|
|
/* Key requires user verification (e.g. PIN) */
|
|
int require_verify;
|
|
};
|
|
|
|
struct sshauthopt *sshauthopt_new(void);
|
|
struct sshauthopt *sshauthopt_new_with_keys_defaults(void);
|
|
void sshauthopt_free(struct sshauthopt *opts);
|
|
struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig);
|
|
int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int);
|
|
int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts);
|
|
|
|
/*
|
|
* Parse authorized_keys options. Returns an options structure on success
|
|
* or NULL on failure. Will set errstr on failure.
|
|
*/
|
|
struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr);
|
|
|
|
/*
|
|
* Parse certification options to a struct sshauthopt.
|
|
* Returns options on success or NULL on failure.
|
|
*/
|
|
struct sshauthopt *sshauthopt_from_cert(struct sshkey *k);
|
|
|
|
/*
|
|
* Merge key options.
|
|
*/
|
|
struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary,
|
|
const struct sshauthopt *additional, const char **errstrp);
|
|
|
|
#endif
|