[sshd] Add support to disable valid_after check

In debugging scenarios where the platform has not had a chance to
acquire time, developers may still need to SSH by presenting a
certificate that only is valid for some given time range. In these
cases, the platform time cannot be used to make a determination whether
the presented certificate is valid.

However, platform builds may default to a build date, which could make
the valid_before check reasonable. This change adds an option that build
configurations can add to their sshd_config that disables this check.

This option is meant for debugging purposes only and should not be used
in production environments.

Test: Key exchange continues to fail in the default configuration unless
the platform time is within the valid range. In configurations where
sshd_config adds this option, the platform accepts certificates so long
as the not_before time has not passed.

Change-Id: Ia6264498427d9cbca4ba59eade13401ecb5350b6
3 files changed
tree: cc404533c636dd33c98fcaf10cffbe769b8db20a
  1. contrib/
  2. fuchsia/
  3. openbsd-compat/
  4. regress/
  5. .depend
  6. .gitignore
  7. .skipped-commit-ids
  8. aclocal.m4
  9. addrmatch.c
  10. atomicio.c
  11. atomicio.h
  12. audit-bsm.c
  13. audit-linux.c
  14. audit.c
  15. audit.h
  16. auth-bsdauth.c
  17. auth-krb5.c
  18. auth-options.c
  19. auth-options.h
  20. auth-pam.c
  21. auth-pam.h
  22. auth-passwd.c
  23. auth-rhosts.c
  24. auth-shadow.c
  25. auth-sia.c
  26. auth-sia.h
  27. auth-skey.c
  28. auth.c
  29. auth.h
  30. auth2-chall.c
  31. auth2-gss.c
  32. auth2-hostbased.c
  33. auth2-kbdint.c
  34. auth2-none.c
  35. auth2-passwd.c
  36. auth2-pubkey.c
  37. auth2.c
  38. authfd.c
  39. authfd.h
  40. authfile.c
  41. authfile.h
  42. bitmap.c
  43. bitmap.h
  44. BUILD.gn
  45. buildpkg.sh.in
  46. canohost.c
  47. canohost.h
  48. chacha.c
  49. chacha.h
  50. channels.c
  51. channels.h
  52. cipher-aes.c
  53. cipher-aesctr.c
  54. cipher-aesctr.h
  55. cipher-chachapoly.c
  56. cipher-chachapoly.h
  57. cipher-ctr.c
  58. cipher.c
  59. cipher.h
  60. cleanup.c
  61. clientloop.c
  62. clientloop.h
  63. compat.c
  64. compat.h
  65. configure.ac
  66. crc32.c
  67. crc32.h
  68. CREDITS
  69. crypto_api.h
  70. defines.h
  71. dh.c
  72. dh.h
  73. digest-libc.c
  74. digest-openssl.c
  75. digest.h
  76. dispatch.c
  77. dispatch.h
  78. dns.c
  79. dns.h
  80. ed25519.c
  81. entropy.c
  82. entropy.h
  83. fatal.c
  84. fe25519.c
  85. fe25519.h
  86. fixalgorithms
  87. fixpaths
  88. ge25519.c
  89. ge25519.h
  90. ge25519_base.data
  91. groupaccess.c
  92. groupaccess.h
  93. gss-genr.c
  94. gss-serv-krb5.c
  95. gss-serv.c
  96. hash.c
  97. hmac.c
  98. hmac.h
  99. hostfile.c
  100. hostfile.h
  101. includes.h
  102. INSTALL
  103. install-sh
  104. kex.c
  105. kex.h
  106. kexc25519.c
  107. kexc25519c.c
  108. kexc25519s.c
  109. kexdh.c
  110. kexdhc.c
  111. kexdhs.c
  112. kexecdh.c
  113. kexecdhc.c
  114. kexecdhs.c
  115. kexgex.c
  116. kexgexc.c
  117. kexgexs.c
  118. krl.c
  119. krl.h
  120. LICENCE
  121. log.c
  122. log.h
  123. loginrec.c
  124. loginrec.h
  125. logintest.c
  126. mac.c
  127. mac.h
  128. Makefile.in
  129. match.c
  130. match.h
  131. md5crypt.c
  132. md5crypt.h
  133. mdoc2man.awk
  134. misc.c
  135. misc.h
  136. mkinstalldirs
  137. moduli
  138. moduli.5
  139. moduli.c
  140. monitor.c
  141. monitor.h
  142. monitor_fdpass.c
  143. monitor_fdpass.h
  144. monitor_wrap.c
  145. monitor_wrap.h
  146. msg.c
  147. msg.h
  148. mux.c
  149. myproposal.h
  150. nchan.c
  151. nchan.ms
  152. nchan2.ms
  153. opacket.c
  154. opacket.h
  155. openssh.xml.in
  156. opensshd.init.in
  157. OVERVIEW
  158. packet.c
  159. packet.h
  160. pathnames.h
  161. pkcs11.h
  162. platform-misc.c
  163. platform-pledge.c
  164. platform-tracing.c
  165. platform.c
  166. platform.h
  167. poly1305.c
  168. poly1305.h
  169. progressmeter.c
  170. progressmeter.h
  171. PROTOCOL
  172. PROTOCOL.agent
  173. PROTOCOL.certkeys
  174. PROTOCOL.chacha20poly1305
  175. PROTOCOL.key
  176. PROTOCOL.krl
  177. PROTOCOL.mux
  178. readconf.c
  179. readconf.h
  180. README
  181. README.dns
  182. README.fuchsia
  183. README.platform
  184. README.privsep
  185. README.tun
  186. readpass.c
  187. rijndael.c
  188. rijndael.h
  189. sandbox-capsicum.c
  190. sandbox-darwin.c
  191. sandbox-null.c
  192. sandbox-pledge.c
  193. sandbox-rlimit.c
  194. sandbox-seccomp-filter.c
  195. sandbox-solaris.c
  196. sandbox-systrace.c
  197. sc25519.c
  198. sc25519.h
  199. scp.1
  200. scp.c
  201. servconf.c
  202. servconf.h
  203. serverloop.c
  204. serverloop.h
  205. session.c
  206. session.h
  207. sftp-client.c
  208. sftp-client.h
  209. sftp-common.c
  210. sftp-common.h
  211. sftp-glob.c
  212. sftp-server-main.c
  213. sftp-server.8
  214. sftp-server.c
  215. sftp.1
  216. sftp.c
  217. sftp.h
  218. smult_curve25519_ref.c
  219. ssh-add.1
  220. ssh-add.c
  221. ssh-agent.1
  222. ssh-agent.c
  223. ssh-dss.c
  224. ssh-ecdsa.c
  225. ssh-ed25519.c
  226. ssh-gss.h
  227. ssh-keygen.1
  228. ssh-keygen.c
  229. ssh-keyscan.1
  230. ssh-keyscan.c
  231. ssh-keysign.8
  232. ssh-keysign.c
  233. ssh-pkcs11-client.c
  234. ssh-pkcs11-helper.8
  235. ssh-pkcs11-helper.c
  236. ssh-pkcs11.c
  237. ssh-pkcs11.h
  238. ssh-rsa.c
  239. ssh-sandbox.h
  240. ssh-xmss.c
  241. ssh.1
  242. ssh.c
  243. ssh.h
  244. ssh2.h
  245. ssh_api.c
  246. ssh_api.h
  247. ssh_config
  248. ssh_config.5
  249. sshbuf-getput-basic.c
  250. sshbuf-getput-crypto.c
  251. sshbuf-misc.c
  252. sshbuf.c
  253. sshbuf.h
  254. sshconnect.c
  255. sshconnect.h
  256. sshconnect2.c
  257. sshd.8
  258. sshd.c
  259. sshd_config
  260. sshd_config.5
  261. ssherr.c
  262. ssherr.h
  263. sshkey-xmss.c
  264. sshkey-xmss.h
  265. sshkey.c
  266. sshkey.h
  267. sshlogin.c
  268. sshlogin.h
  269. sshpty.c
  270. sshpty.h
  271. sshtty.c
  272. survey.sh.in
  273. TODO
  274. ttymodes.c
  275. ttymodes.h
  276. uidswap.c
  277. uidswap.h
  278. umac.c
  279. umac.h
  280. umac128.c
  281. utf8.c
  282. utf8.h
  283. uuencode.c
  284. uuencode.h
  285. verify.c
  286. version.h
  287. xmalloc.c
  288. xmalloc.h
  289. xmss_commons.c
  290. xmss_commons.h
  291. xmss_fast.c
  292. xmss_fast.h
  293. xmss_hash.c
  294. xmss_hash.h
  295. xmss_hash_address.c
  296. xmss_hash_address.h
  297. xmss_wots.c
  298. xmss_wots.h