[sshd] Add support to disable valid_after check

In debugging scenarios where the platform has not had a chance to
acquire time, developers may still need to SSH by presenting a
certificate that only is valid for some given time range. In these
cases, the platform time cannot be used to make a determination whether
the presented certificate is valid.

However, platform builds may default to a build date, which could make
the valid_before check reasonable. This change adds an option that build
configurations can add to their sshd_config that disables this check.

This option is meant for debugging purposes only and should not be used
in production environments.

Test: Key exchange continues to fail in the default configuration unless
the platform time is within the valid range. In configurations where
sshd_config adds this option, the platform accepts certificates so long
as the not_before time has not passed.

Change-Id: Ia6264498427d9cbca4ba59eade13401ecb5350b6
3 files changed
tree: cc404533c636dd33c98fcaf10cffbe769b8db20a
  1. .depend
  2. .gitignore
  3. .skipped-commit-ids
  4. BUILD.gn
  5. CREDITS
  6. INSTALL
  7. LICENCE
  8. Makefile.in
  9. OVERVIEW
  10. PROTOCOL
  11. PROTOCOL.agent
  12. PROTOCOL.certkeys
  13. PROTOCOL.chacha20poly1305
  14. PROTOCOL.key
  15. PROTOCOL.krl
  16. PROTOCOL.mux
  17. README
  18. README.dns
  19. README.fuchsia
  20. README.platform
  21. README.privsep
  22. README.tun
  23. TODO
  24. aclocal.m4
  25. addrmatch.c
  26. atomicio.c
  27. atomicio.h
  28. audit-bsm.c
  29. audit-linux.c
  30. audit.c
  31. audit.h
  32. auth-bsdauth.c
  33. auth-krb5.c
  34. auth-options.c
  35. auth-options.h
  36. auth-pam.c
  37. auth-pam.h
  38. auth-passwd.c
  39. auth-rhosts.c
  40. auth-shadow.c
  41. auth-sia.c
  42. auth-sia.h
  43. auth-skey.c
  44. auth.c
  45. auth.h
  46. auth2-chall.c
  47. auth2-gss.c
  48. auth2-hostbased.c
  49. auth2-kbdint.c
  50. auth2-none.c
  51. auth2-passwd.c
  52. auth2-pubkey.c
  53. auth2.c
  54. authfd.c
  55. authfd.h
  56. authfile.c
  57. authfile.h
  58. bitmap.c
  59. bitmap.h
  60. buildpkg.sh.in
  61. canohost.c
  62. canohost.h
  63. chacha.c
  64. chacha.h
  65. channels.c
  66. channels.h
  67. cipher-aes.c
  68. cipher-aesctr.c
  69. cipher-aesctr.h
  70. cipher-chachapoly.c
  71. cipher-chachapoly.h
  72. cipher-ctr.c
  73. cipher.c
  74. cipher.h
  75. cleanup.c
  76. clientloop.c
  77. clientloop.h
  78. compat.c
  79. compat.h
  80. configure.ac
  81. contrib/
  82. crc32.c
  83. crc32.h
  84. crypto_api.h
  85. defines.h
  86. dh.c
  87. dh.h
  88. digest-libc.c
  89. digest-openssl.c
  90. digest.h
  91. dispatch.c
  92. dispatch.h
  93. dns.c
  94. dns.h
  95. ed25519.c
  96. entropy.c
  97. entropy.h
  98. fatal.c
  99. fe25519.c
  100. fe25519.h
  101. fixalgorithms
  102. fixpaths
  103. fuchsia/
  104. ge25519.c
  105. ge25519.h
  106. ge25519_base.data
  107. groupaccess.c
  108. groupaccess.h
  109. gss-genr.c
  110. gss-serv-krb5.c
  111. gss-serv.c
  112. hash.c
  113. hmac.c
  114. hmac.h
  115. hostfile.c
  116. hostfile.h
  117. includes.h
  118. install-sh
  119. kex.c
  120. kex.h
  121. kexc25519.c
  122. kexc25519c.c
  123. kexc25519s.c
  124. kexdh.c
  125. kexdhc.c
  126. kexdhs.c
  127. kexecdh.c
  128. kexecdhc.c
  129. kexecdhs.c
  130. kexgex.c
  131. kexgexc.c
  132. kexgexs.c
  133. krl.c
  134. krl.h
  135. log.c
  136. log.h
  137. loginrec.c
  138. loginrec.h
  139. logintest.c
  140. mac.c
  141. mac.h
  142. match.c
  143. match.h
  144. md5crypt.c
  145. md5crypt.h
  146. mdoc2man.awk
  147. misc.c
  148. misc.h
  149. mkinstalldirs
  150. moduli
  151. moduli.5
  152. moduli.c
  153. monitor.c
  154. monitor.h
  155. monitor_fdpass.c
  156. monitor_fdpass.h
  157. monitor_wrap.c
  158. monitor_wrap.h
  159. msg.c
  160. msg.h
  161. mux.c
  162. myproposal.h
  163. nchan.c
  164. nchan.ms
  165. nchan2.ms
  166. opacket.c
  167. opacket.h
  168. openbsd-compat/
  169. openssh.xml.in
  170. opensshd.init.in
  171. packet.c
  172. packet.h
  173. pathnames.h
  174. pkcs11.h
  175. platform-misc.c
  176. platform-pledge.c
  177. platform-tracing.c
  178. platform.c
  179. platform.h
  180. poly1305.c
  181. poly1305.h
  182. progressmeter.c
  183. progressmeter.h
  184. readconf.c
  185. readconf.h
  186. readpass.c
  187. regress/
  188. rijndael.c
  189. rijndael.h
  190. sandbox-capsicum.c
  191. sandbox-darwin.c
  192. sandbox-null.c
  193. sandbox-pledge.c
  194. sandbox-rlimit.c
  195. sandbox-seccomp-filter.c
  196. sandbox-solaris.c
  197. sandbox-systrace.c
  198. sc25519.c
  199. sc25519.h
  200. scp.1
  201. scp.c
  202. servconf.c
  203. servconf.h
  204. serverloop.c
  205. serverloop.h
  206. session.c
  207. session.h
  208. sftp-client.c
  209. sftp-client.h
  210. sftp-common.c
  211. sftp-common.h
  212. sftp-glob.c
  213. sftp-server-main.c
  214. sftp-server.8
  215. sftp-server.c
  216. sftp.1
  217. sftp.c
  218. sftp.h
  219. smult_curve25519_ref.c
  220. ssh-add.1
  221. ssh-add.c
  222. ssh-agent.1
  223. ssh-agent.c
  224. ssh-dss.c
  225. ssh-ecdsa.c
  226. ssh-ed25519.c
  227. ssh-gss.h
  228. ssh-keygen.1
  229. ssh-keygen.c
  230. ssh-keyscan.1
  231. ssh-keyscan.c
  232. ssh-keysign.8
  233. ssh-keysign.c
  234. ssh-pkcs11-client.c
  235. ssh-pkcs11-helper.8
  236. ssh-pkcs11-helper.c
  237. ssh-pkcs11.c
  238. ssh-pkcs11.h
  239. ssh-rsa.c
  240. ssh-sandbox.h
  241. ssh-xmss.c
  242. ssh.1
  243. ssh.c
  244. ssh.h
  245. ssh2.h
  246. ssh_api.c
  247. ssh_api.h
  248. ssh_config
  249. ssh_config.5
  250. sshbuf-getput-basic.c
  251. sshbuf-getput-crypto.c
  252. sshbuf-misc.c
  253. sshbuf.c
  254. sshbuf.h
  255. sshconnect.c
  256. sshconnect.h
  257. sshconnect2.c
  258. sshd.8
  259. sshd.c
  260. sshd_config
  261. sshd_config.5
  262. ssherr.c
  263. ssherr.h
  264. sshkey-xmss.c
  265. sshkey-xmss.h
  266. sshkey.c
  267. sshkey.h
  268. sshlogin.c
  269. sshlogin.h
  270. sshpty.c
  271. sshpty.h
  272. sshtty.c
  273. survey.sh.in
  274. ttymodes.c
  275. ttymodes.h
  276. uidswap.c
  277. uidswap.h
  278. umac.c
  279. umac.h
  280. umac128.c
  281. utf8.c
  282. utf8.h
  283. uuencode.c
  284. uuencode.h
  285. verify.c
  286. version.h
  287. xmalloc.c
  288. xmalloc.h
  289. xmss_commons.c
  290. xmss_commons.h
  291. xmss_fast.c
  292. xmss_fast.h
  293. xmss_hash.c
  294. xmss_hash.h
  295. xmss_hash_address.c
  296. xmss_hash_address.h
  297. xmss_wots.c
  298. xmss_wots.h