diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-03-03 03:06:02 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-03-03 14:22:11 +1100 |
commit | 90c4bec8b5f9ec4c003ae4abdf13fc7766f00c8b (patch) | |
tree | 81333f6969082c66dd6261573f48644dd3203494 /auth-options.h | |
parent | 26074380767e639ef89321610e146ae11016b385 (diff) |
upstream: Introduce a new API for handling authorized_keys options.
This API parses options to a dedicated structure rather than the old API's
approach of setting global state. It also includes support for merging
options, e.g. from authorized_keys, authorized_principals and/or
certificates.
feedback and ok markus@
OpenBSD-Commit-ID: 98badda102cd575210d7802943e93a34232c80a2
Diffstat (limited to 'auth-options.h')
-rw-r--r-- | auth-options.h | 70 |
1 files changed, 69 insertions, 1 deletions
diff --git a/auth-options.h b/auth-options.h index 547f01635..0dbfc325e 100644 --- a/auth-options.h +++ b/auth-options.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth-options.h,v 1.23 2017/05/31 10:54:00 markus Exp $ */ | 1 | /* $OpenBSD: auth-options.h,v 1.24 2018/03/03 03:06:02 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -15,6 +15,9 @@ | |||
15 | #ifndef AUTH_OPTIONS_H | 15 | #ifndef AUTH_OPTIONS_H |
16 | #define AUTH_OPTIONS_H | 16 | #define AUTH_OPTIONS_H |
17 | 17 | ||
18 | struct passwd; | ||
19 | struct sshkey; | ||
20 | |||
18 | /* Linked list of custom environment strings */ | 21 | /* Linked list of custom environment strings */ |
19 | struct envstring { | 22 | struct envstring { |
20 | struct envstring *next; | 23 | struct envstring *next; |
@@ -37,4 +40,69 @@ int auth_parse_options(struct passwd *, char *, const char *, u_long); | |||
37 | void auth_clear_options(void); | 40 | void auth_clear_options(void); |
38 | int auth_cert_options(struct sshkey *, struct passwd *, const char **); | 41 | int auth_cert_options(struct sshkey *, struct passwd *, const char **); |
39 | 42 | ||
43 | /* authorized_keys options handling */ | ||
44 | |||
45 | /* | ||
46 | * sshauthopt represents key options parsed from authorized_keys or | ||
47 | * from certificate extensions/options. | ||
48 | */ | ||
49 | struct sshauthopt { | ||
50 | /* Feature flags */ | ||
51 | int permit_port_forwarding_flag; | ||
52 | int permit_agent_forwarding_flag; | ||
53 | int permit_x11_forwarding_flag; | ||
54 | int permit_pty_flag; | ||
55 | int permit_user_rc; | ||
56 | |||
57 | /* "restrict" keyword was invoked */ | ||
58 | int restricted; | ||
59 | |||
60 | /* Certificate-related options */ | ||
61 | int cert_authority; | ||
62 | char *cert_principals; | ||
63 | |||
64 | int force_tun_device; | ||
65 | char *force_command; | ||
66 | |||
67 | /* Custom environment */ | ||
68 | size_t nenv; | ||
69 | char **env; | ||
70 | |||
71 | /* Permitted port forwardings */ | ||
72 | size_t npermitopen; | ||
73 | char **permitopen; | ||
74 | |||
75 | /* | ||
76 | * Permitted host/addresses (comma-separated) | ||
77 | * Caller must check source address matches both lists (if present). | ||
78 | */ | ||
79 | char *required_from_host_cert; | ||
80 | char *required_from_host_keys; | ||
81 | }; | ||
82 | |||
83 | struct sshauthopt *sshauthopt_new(void); | ||
84 | struct sshauthopt *sshauthopt_new_with_keys_defaults(void); | ||
85 | void sshauthopt_free(struct sshauthopt *opts); | ||
86 | struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig); | ||
87 | int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int); | ||
88 | int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts); | ||
89 | |||
90 | /* | ||
91 | * Parse authorized_keys options. Returns an options structure on success | ||
92 | * or NULL on failure. Will set errstr on failure. | ||
93 | */ | ||
94 | struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr); | ||
95 | |||
96 | /* | ||
97 | * Parse certification options to a struct sshauthopt. | ||
98 | * Returns options on success or NULL on failure. | ||
99 | */ | ||
100 | struct sshauthopt *sshauthopt_from_cert(struct sshkey *k); | ||
101 | |||
102 | /* | ||
103 | * Merge key options. | ||
104 | */ | ||
105 | struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary, | ||
106 | const struct sshauthopt *additional, const char **errstrp); | ||
107 | |||
40 | #endif | 108 | #endif |