From 90c4bec8b5f9ec4c003ae4abdf13fc7766f00c8b Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sat, 3 Mar 2018 03:06:02 +0000 Subject: upstream: Introduce a new API for handling authorized_keys options. This API parses options to a dedicated structure rather than the old API's approach of setting global state. It also includes support for merging options, e.g. from authorized_keys, authorized_principals and/or certificates. feedback and ok markus@ OpenBSD-Commit-ID: 98badda102cd575210d7802943e93a34232c80a2 --- auth-options.h | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 69 insertions(+), 1 deletion(-) (limited to 'auth-options.h') diff --git a/auth-options.h b/auth-options.h index 547f01635..0dbfc325e 100644 --- a/auth-options.h +++ b/auth-options.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.h,v 1.23 2017/05/31 10:54:00 markus Exp $ */ +/* $OpenBSD: auth-options.h,v 1.24 2018/03/03 03:06:02 djm Exp $ */ /* * Author: Tatu Ylonen @@ -15,6 +15,9 @@ #ifndef AUTH_OPTIONS_H #define AUTH_OPTIONS_H +struct passwd; +struct sshkey; + /* Linked list of custom environment strings */ struct envstring { struct envstring *next; @@ -37,4 +40,69 @@ int auth_parse_options(struct passwd *, char *, const char *, u_long); void auth_clear_options(void); int auth_cert_options(struct sshkey *, struct passwd *, const char **); +/* authorized_keys options handling */ + +/* + * sshauthopt represents key options parsed from authorized_keys or + * from certificate extensions/options. + */ +struct sshauthopt { + /* Feature flags */ + int permit_port_forwarding_flag; + int permit_agent_forwarding_flag; + int permit_x11_forwarding_flag; + int permit_pty_flag; + int permit_user_rc; + + /* "restrict" keyword was invoked */ + int restricted; + + /* Certificate-related options */ + int cert_authority; + char *cert_principals; + + int force_tun_device; + char *force_command; + + /* Custom environment */ + size_t nenv; + char **env; + + /* Permitted port forwardings */ + size_t npermitopen; + char **permitopen; + + /* + * Permitted host/addresses (comma-separated) + * Caller must check source address matches both lists (if present). + */ + char *required_from_host_cert; + char *required_from_host_keys; +}; + +struct sshauthopt *sshauthopt_new(void); +struct sshauthopt *sshauthopt_new_with_keys_defaults(void); +void sshauthopt_free(struct sshauthopt *opts); +struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig); +int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int); +int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts); + +/* + * Parse authorized_keys options. Returns an options structure on success + * or NULL on failure. Will set errstr on failure. + */ +struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr); + +/* + * Parse certification options to a struct sshauthopt. + * Returns options on success or NULL on failure. + */ +struct sshauthopt *sshauthopt_from_cert(struct sshkey *k); + +/* + * Merge key options. + */ +struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary, + const struct sshauthopt *additional, const char **errstrp); + #endif -- cgit v1.2.3