diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2018-03-12 00:52:01 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2018-03-14 18:55:32 +1100 |
| commit | bf0fbf2b11a44f06a64b620af7d01ff171c28e13 (patch) | |
| tree | bebb13975a12e80a295cafeec72417a6911ea750 /auth-options.c | |
| parent | fbd733ab7adc907118a6cf56c08ed90c7000043f (diff) | |
upstream: add valid-before="[time]" authorized_keys option. A
simple way of giving a key an expiry date. ok markus@
OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947
Diffstat (limited to 'auth-options.c')
| -rw-r--r-- | auth-options.c | 32 |
1 files changed, 29 insertions, 3 deletions
diff --git a/auth-options.c b/auth-options.c index 484e44b7..38211fa2 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.76 2018/03/03 03:15:51 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.77 2018/03/12 00:52:01 djm Exp $ */ /* * Copyright (c) 2018 Damien Miller <djm@mindrot.org> * @@ -311,6 +311,7 @@ sshauthopt_parse(const char *opts, const char **errstrp) int r; struct sshauthopt *ret = NULL; const char *errstr = "unknown error"; + uint64_t valid_before; if (errstrp != NULL) *errstrp = NULL; @@ -366,6 +367,19 @@ sshauthopt_parse(const char *opts, const char **errstrp) &errstr); if (ret->required_from_host_keys == NULL) goto fail; + } else if (opt_match(&opts, "valid-before")) { + if ((opt = opt_dequote(&opts, &errstr)) == NULL) + goto fail; + if (parse_absolute_time(opt, &valid_before) != 0 || + valid_before == 0) { + free(opt); + errstr = "invalid expires time"; + goto fail; + } + free(opt); + if (ret->valid_before == 0 || + valid_before < ret->valid_before) + ret->valid_before = valid_before; } else if (opt_match(&opts, "environment")) { if (ret->nenv > INT_MAX) { errstr = "too many environment strings"; @@ -572,6 +586,13 @@ sshauthopt_merge(const struct sshauthopt *primary, OPTFLAG(permit_user_rc); #undef OPTFLAG + /* Earliest expiry time should win */ + if (primary->valid_before != 0) + ret->valid_before = primary->valid_before; + if (additional->valid_before != 0 && + additional->valid_before < ret->valid_before) + ret->valid_before = additional->valid_before; + /* * When both multiple forced-command are specified, only * proceed if they are identical, otherwise fail. @@ -631,6 +652,7 @@ sshauthopt_copy(const struct sshauthopt *orig) OPTSCALAR(restricted); OPTSCALAR(cert_authority); OPTSCALAR(force_tun_device); + OPTSCALAR(valid_before); #undef OPTSCALAR #define OPTSTRING(x) \ do { \ @@ -751,14 +773,15 @@ sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, { int r = SSH_ERR_INTERNAL_ERROR; - /* Flag options */ + /* Flag and simple integer options */ if ((r = sshbuf_put_u8(m, opts->permit_port_forwarding_flag)) != 0 || (r = sshbuf_put_u8(m, opts->permit_agent_forwarding_flag)) != 0 || (r = sshbuf_put_u8(m, opts->permit_x11_forwarding_flag)) != 0 || (r = sshbuf_put_u8(m, opts->permit_pty_flag)) != 0 || (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 || (r = sshbuf_put_u8(m, opts->restricted)) != 0 || - (r = sshbuf_put_u8(m, opts->cert_authority)) != 0) + (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 || + (r = sshbuf_put_u64(m, opts->valid_before)) != 0) return r; /* tunnel number can be negative to indicate "unset" */ @@ -815,6 +838,9 @@ sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp) OPT_FLAG(cert_authority); #undef OPT_FLAG + if ((r = sshbuf_get_u64(m, &opts->valid_before)) != 0) + goto out; + /* tunnel number can be negative to indicate "unset" */ if ((r = sshbuf_get_u8(m, &f)) != 0 || (r = sshbuf_get_u32(m, &tmp)) != 0) |