/* $OpenBSD: auth-options.h,v 1.31 2021/07/23 03:57:20 djm Exp $ */12/*3* Copyright (c) 2018 Damien Miller <[email protected]>4*5* Permission to use, copy, modify, and distribute this software for any6* purpose with or without fee is hereby granted, provided that the above7* copyright notice and this permission notice appear in all copies.8*9* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES10* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF11* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR12* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES13* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN14* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF15* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.16*/1718#ifndef AUTH_OPTIONS_H19#define AUTH_OPTIONS_H2021struct passwd;22struct sshkey;2324/* Maximum number of permitopen/permitlisten directives to accept */25#define SSH_AUTHOPT_PERMIT_MAX 40962627/* Maximum number of environment directives to accept */28#define SSH_AUTHOPT_ENV_MAX 10242930/*31* sshauthopt represents key options parsed from authorized_keys or32* from certificate extensions/options.33*/34struct sshauthopt {35/* Feature flags */36int permit_port_forwarding_flag;37int permit_agent_forwarding_flag;38int permit_x11_forwarding_flag;39int permit_pty_flag;40int permit_user_rc;4142/* "restrict" keyword was invoked */43int restricted;4445/* key/principal expiry date */46uint64_t valid_before;4748/* Certificate-related options */49int cert_authority;50char *cert_principals;5152int force_tun_device;53char *force_command;5455/* Custom environment */56size_t nenv;57char **env;5859/* Permitted port forwardings */60size_t npermitopen;61char **permitopen;6263/* Permitted listens (remote forwarding) */64size_t npermitlisten;65char **permitlisten;6667/*68* Permitted host/addresses (comma-separated)69* Caller must check source address matches both lists (if present).70*/71char *required_from_host_cert;72char *required_from_host_keys;7374/* Key requires user presence asserted */75int no_require_user_presence;76/* Key requires user verification (e.g. PIN) */77int require_verify;78};7980struct sshauthopt *sshauthopt_new(void);81struct sshauthopt *sshauthopt_new_with_keys_defaults(void);82void sshauthopt_free(struct sshauthopt *opts);83struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig);84int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int);85int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts);8687/*88* Parse authorized_keys options. Returns an options structure on success89* or NULL on failure. Will set errstr on failure.90*/91struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr);9293/*94* Parse certification options to a struct sshauthopt.95* Returns options on success or NULL on failure.96*/97struct sshauthopt *sshauthopt_from_cert(struct sshkey *k);9899/*100* Merge key options.101*/102struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary,103const struct sshauthopt *additional, const char **errstrp);104105#endif106107108