mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-11-30 17:32:51 +08:00
2e71263b80
a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
102 lines
2.9 KiB
C
102 lines
2.9 KiB
C
/* $OpenBSD: auth-options.h,v 1.29 2019/11/25 00:54:23 djm Exp $ */
|
|
|
|
/*
|
|
* Copyright (c) 2018 Damien Miller <djm@mindrot.org>
|
|
*
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
*/
|
|
|
|
#ifndef AUTH_OPTIONS_H
|
|
#define AUTH_OPTIONS_H
|
|
|
|
struct passwd;
|
|
struct sshkey;
|
|
|
|
/* Maximum number of permitopen/permitlisten directives to accept */
|
|
#define SSH_AUTHOPT_PERMIT_MAX 4096
|
|
|
|
/*
|
|
* sshauthopt represents key options parsed from authorized_keys or
|
|
* from certificate extensions/options.
|
|
*/
|
|
struct sshauthopt {
|
|
/* Feature flags */
|
|
int permit_port_forwarding_flag;
|
|
int permit_agent_forwarding_flag;
|
|
int permit_x11_forwarding_flag;
|
|
int permit_pty_flag;
|
|
int permit_user_rc;
|
|
|
|
/* "restrict" keyword was invoked */
|
|
int restricted;
|
|
|
|
/* key/principal expiry date */
|
|
uint64_t valid_before;
|
|
|
|
/* Certificate-related options */
|
|
int cert_authority;
|
|
char *cert_principals;
|
|
|
|
int force_tun_device;
|
|
char *force_command;
|
|
|
|
/* Custom environment */
|
|
size_t nenv;
|
|
char **env;
|
|
|
|
/* Permitted port forwardings */
|
|
size_t npermitopen;
|
|
char **permitopen;
|
|
|
|
/* Permitted listens (remote forwarding) */
|
|
size_t npermitlisten;
|
|
char **permitlisten;
|
|
|
|
/*
|
|
* Permitted host/addresses (comma-separated)
|
|
* Caller must check source address matches both lists (if present).
|
|
*/
|
|
char *required_from_host_cert;
|
|
char *required_from_host_keys;
|
|
|
|
/* Key requires user presence asserted */
|
|
int no_require_user_presence;
|
|
};
|
|
|
|
struct sshauthopt *sshauthopt_new(void);
|
|
struct sshauthopt *sshauthopt_new_with_keys_defaults(void);
|
|
void sshauthopt_free(struct sshauthopt *opts);
|
|
struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig);
|
|
int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int);
|
|
int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts);
|
|
|
|
/*
|
|
* Parse authorized_keys options. Returns an options structure on success
|
|
* or NULL on failure. Will set errstr on failure.
|
|
*/
|
|
struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr);
|
|
|
|
/*
|
|
* Parse certification options to a struct sshauthopt.
|
|
* Returns options on success or NULL on failure.
|
|
*/
|
|
struct sshauthopt *sshauthopt_from_cert(struct sshkey *k);
|
|
|
|
/*
|
|
* Merge key options.
|
|
*/
|
|
struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary,
|
|
const struct sshauthopt *additional, const char **errstrp);
|
|
|
|
#endif
|