diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2018-03-12 00:52:02 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2018-03-12 00:52:02 +0000 |
| commit | 413710ab325cfcecae9e07f69c8cb601b070e1e4 (patch) | |
| tree | 8ad4e00ede642286cf06545dda911dff48e5a765 /usr.bin/ssh/auth.c | |
| parent | 90701d889ce64493e4dd860cb147944fea1845dc (diff) | |
add valid-before="[time]" authorized_keys option. A simple way of
giving a key an expiry date. ok markus@
Diffstat (limited to 'usr.bin/ssh/auth.c')
| -rw-r--r-- | usr.bin/ssh/auth.c | 28 |
1 files changed, 23 insertions, 5 deletions
diff --git a/usr.bin/ssh/auth.c b/usr.bin/ssh/auth.c index fe42524dc43..9a8d1660a31 100644 --- a/usr.bin/ssh/auth.c +++ b/usr.bin/ssh/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.126 2018/03/03 03:15:51 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.127 2018/03/12 00:52:01 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -870,20 +870,21 @@ auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote) int do_permitopen = opts->npermitopen > 0 && (options.allow_tcp_forwarding & FORWARD_LOCAL) != 0; size_t i; - char msg[1024], tbuf[32]; + char msg[1024], buf[64]; - snprintf(tbuf, sizeof(tbuf), "%d", opts->force_tun_device); + snprintf(buf, sizeof(buf), "%d", opts->force_tun_device); /* Try to keep this alphabetically sorted */ - snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s", + snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s", opts->permit_agent_forwarding_flag ? " agent-forwarding" : "", opts->force_command == NULL ? "" : " command", do_env ? " environment" : "", + opts->valid_before == 0 ? "" : "expires", do_permitopen ? " permitopen" : "", opts->permit_port_forwarding_flag ? " port-forwarding" : "", opts->cert_principals == NULL ? "" : " principals", opts->permit_pty_flag ? " pty" : "", opts->force_tun_device == -1 ? "" : " tun=", - opts->force_tun_device == -1 ? "" : tbuf, + opts->force_tun_device == -1 ? "" : buf, opts->permit_user_rc ? " user-rc" : "", opts->permit_x11_forwarding_flag ? " x11-forwarding" : ""); @@ -902,6 +903,10 @@ auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote) } /* Go into a little more details for the local logs. */ + if (opts->valid_before != 0) { + format_absolute_time(opts->valid_before, buf, sizeof(buf)); + debug("%s: expires at %s", loc, buf); + } if (opts->cert_principals != NULL) { debug("%s: authorized principals: \"%s\"", loc, opts->cert_principals); @@ -955,7 +960,20 @@ auth_authorise_keyopts(struct ssh *ssh, struct passwd *pw, const char *remote_ip = ssh_remote_ipaddr(ssh); const char *remote_host = auth_get_canonical_hostname(ssh, options.use_dns); + time_t now = time(NULL); + char buf[64]; + /* + * Check keys/principals file expiry time. + * NB. validity interval in certificate is handled elsewhere. + */ + if (opts->valid_before && now > 0 && + opts->valid_before < (uint64_t)now) { + format_absolute_time(opts->valid_before, buf, sizeof(buf)); + debug("%s: entry expired at %s", loc, buf); + auth_debug_add("%s: entry expired at %s", loc, buf); + return -1; + } /* Consistency checks */ if (opts->cert_principals != NULL && !opts->cert_authority) { debug("%s: principals on non-CA key", loc); |