diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-03-03 04:06:02 +0100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-03-03 04:22:11 +0100 |
commit | 90c4bec8b5f9ec4c003ae4abdf13fc7766f00c8b (patch) | |
tree | 81333f6969082c66dd6261573f48644dd3203494 /auth-options.h | |
parent | upstream: warn when the agent returns a signature type that was (diff) | |
download | openssh-90c4bec8b5f9ec4c003ae4abdf13fc7766f00c8b.tar.xz openssh-90c4bec8b5f9ec4c003ae4abdf13fc7766f00c8b.zip |
upstream: Introduce a new API for handling authorized_keys options.
This API parses options to a dedicated structure rather than the old API's
approach of setting global state. It also includes support for merging
options, e.g. from authorized_keys, authorized_principals and/or
certificates.
feedback and ok markus@
OpenBSD-Commit-ID: 98badda102cd575210d7802943e93a34232c80a2
Diffstat (limited to '')
-rw-r--r-- | auth-options.h | 70 |
1 files changed, 69 insertions, 1 deletions
diff --git a/auth-options.h b/auth-options.h index 547f01635..0dbfc325e 100644 --- a/auth-options.h +++ b/auth-options.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.h,v 1.23 2017/05/31 10:54:00 markus Exp $ */ +/* $OpenBSD: auth-options.h,v 1.24 2018/03/03 03:06:02 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -15,6 +15,9 @@ #ifndef AUTH_OPTIONS_H #define AUTH_OPTIONS_H +struct passwd; +struct sshkey; + /* Linked list of custom environment strings */ struct envstring { struct envstring *next; @@ -37,4 +40,69 @@ int auth_parse_options(struct passwd *, char *, const char *, u_long); void auth_clear_options(void); int auth_cert_options(struct sshkey *, struct passwd *, const char **); +/* authorized_keys options handling */ + +/* + * sshauthopt represents key options parsed from authorized_keys or + * from certificate extensions/options. + */ +struct sshauthopt { + /* Feature flags */ + int permit_port_forwarding_flag; + int permit_agent_forwarding_flag; + int permit_x11_forwarding_flag; + int permit_pty_flag; + int permit_user_rc; + + /* "restrict" keyword was invoked */ + int restricted; + + /* Certificate-related options */ + int cert_authority; + char *cert_principals; + + int force_tun_device; + char *force_command; + + /* Custom environment */ + size_t nenv; + char **env; + + /* Permitted port forwardings */ + size_t npermitopen; + char **permitopen; + + /* + * Permitted host/addresses (comma-separated) + * Caller must check source address matches both lists (if present). + */ + char *required_from_host_cert; + char *required_from_host_keys; +}; + +struct sshauthopt *sshauthopt_new(void); +struct sshauthopt *sshauthopt_new_with_keys_defaults(void); +void sshauthopt_free(struct sshauthopt *opts); +struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig); +int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int); +int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts); + +/* + * Parse authorized_keys options. Returns an options structure on success + * or NULL on failure. Will set errstr on failure. + */ +struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr); + +/* + * Parse certification options to a struct sshauthopt. + * Returns options on success or NULL on failure. + */ +struct sshauthopt *sshauthopt_from_cert(struct sshkey *k); + +/* + * Merge key options. + */ +struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary, + const struct sshauthopt *additional, const char **errstrp); + #endif |