diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2021-12-19 22:10:24 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2021-12-20 09:25:17 +1100 |
| commit | 5e950d765727ee0b20fc3d2cbb0c790b21ac2425 (patch) | |
| tree | 9c93c8a36465ed4289f02eb3c962b3d1b02e0de5 /authfd.h | |
| parent | 4c1e3ce85e183a9d0c955c88589fed18e4d6a058 (diff) | |
| download | openssh-git-5e950d765727ee0b20fc3d2cbb0c790b21ac2425.tar.gz | |
upstream: ssh-add side of destination constraints
Have ssh-add accept a list of "destination constraints" that allow
restricting where keys may be used in conjunction with a ssh-agent/ssh
that supports session ID/hostkey binding.
Constraints are specified as either "[user@]host-pattern" or
"host-pattern>[user@]host-pattern".
The first form permits a key to be used to authenticate as the
specified user to the specified host.
The second form permits a key that has previously been permitted
for use at a host to be available via a forwarded agent to an
additional host.
For example, constraining a key with "user1@host_a" and
"host_a>host_b". Would permit authentication as "user1" at
"host_a", and allow the key to be available on an agent forwarded
to "host_a" only for authentication to "host_b". The key would not
be visible on agent forwarded to other hosts or usable for
authentication there.
Internally, destination constraints use host keys to identify hosts.
The host patterns are used to obtain lists of host keys for that
destination that are communicated to the agent. The user/hostkeys are
encoded using a new restrict-destination-v00@openssh.com key
constraint.
host keys are looked up in the default client user/system known_hosts
files. It is possible to override this set on the command-line.
feedback Jann Horn & markus@
ok markus@
OpenBSD-Commit-ID: ef47fa9ec0e3c2a82e30d37ef616e245df73163e
Diffstat (limited to 'authfd.h')
| -rw-r--r-- | authfd.h | 26 |
1 files changed, 22 insertions, 4 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.h,v 1.50 2021/12/19 22:08:48 djm Exp $ */ +/* $OpenBSD: authfd.h,v 1.51 2021/12/19 22:10:24 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -17,6 +17,7 @@ #define AUTHFD_H struct sshbuf; +struct sshkey; /* List of identities returned by ssh_fetch_identitylist() */ struct ssh_identitylist { @@ -25,6 +26,20 @@ struct ssh_identitylist { char **comments; }; +/* Key destination restrictions */ +struct dest_constraint_hop { + char *user; /* wildcards allowed */ + char *hostname; /* used to matching cert principals and for display */ + int is_ca; + u_int nkeys; /* number of entries in *both* 'keys' and 'key_is_ca' */ + struct sshkey **keys; + int *key_is_ca; +}; +struct dest_constraint { + struct dest_constraint_hop from; + struct dest_constraint_hop to; +}; + int ssh_get_authentication_socket(int *fdp); int ssh_get_authentication_socket_path(const char *authsocket, int *fdp); void ssh_close_authentication_socket(int sock); @@ -33,12 +48,15 @@ int ssh_lock_agent(int sock, int lock, const char *password); int ssh_fetch_identitylist(int sock, struct ssh_identitylist **idlp); void ssh_free_identitylist(struct ssh_identitylist *idl); int ssh_add_identity_constrained(int sock, struct sshkey *key, - const char *comment, u_int life, u_int confirm, u_int maxsign, - const char *provider); + const char *comment, u_int life, u_int confirm, u_int maxsign, + const char *provider, struct dest_constraint **dest_constraints, + size_t ndest_constraints); int ssh_agent_has_key(int sock, const struct sshkey *key); int ssh_remove_identity(int sock, const struct sshkey *key); int ssh_update_card(int sock, int add, const char *reader_id, - const char *pin, u_int life, u_int confirm); + const char *pin, u_int life, u_int confirm, + struct dest_constraint **dest_constraints, + size_t ndest_constraints); int ssh_remove_all_identities(int sock, int version); int ssh_agent_sign(int sock, const struct sshkey *key, |