auth

package
v0.28.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 17, 2026 License: GPL-3.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

View Source 
const PublicKeyHex = "7cb0bcc1d8e91e51f631c9ad6025e8e6e0222a27c3eeaf8608cf1c8430a6c6b0"

PublicKeyHex is the Ed25519 public key used for verifying binary signatures. This is hardcoded into the binary and used by the upgrade/update commands.

Variables

View Source 
var (
	ErrUnsupportedMech = errors.New("Unsupported SASL mechanism")
	ErrInvalidAuthCred = errors.New("auth: invalid credentials")
)

Functions

func CheckDomainAuth 

func CheckDomainAuth(username string, perDomain bool, allowedDomains []string) (loginName string, allowed bool)

func GetPublicKey 

func GetPublicKey() []byte

GetPublicKey returns the decoded Ed25519 public key.

func NormalizeUsername 

func NormalizeUsername(username string) string

func ValidateLoginDomain added in v0.28.4 

func ValidateLoginDomain(username, expectedDomain string) error

ValidateLoginDomain checks that a username is in the format localpart@domain where domain exactly matches the expected domain (case-insensitive). This prevents JIT account creation for arbitrary usernames like:

  • x@y@z (multiple @ signs)
  • user@%5b1.2.3.4%5d (URL-encoded brackets)
  • user@wrongdomain
  • user@abcd (random domain)

The expectedDomain should already be in the canonical form, e.g. "[1.1.1.1]". The username is normalized before comparison (bare IPs get brackets added).

func WrapIP 

func WrapIP(domain string) string

Types

type ContextData 

type ContextData struct {
	// Authentication username. May be different from identity.
	Username string

	// Password used for password-based mechanisms.
	Password string
}

type FailingSASLServ 

type FailingSASLServ struct{ Err error }

func (FailingSASLServ) Next 

func (s FailingSASLServ) Next([]byte) ([]byte, bool, error)

type SASLAuth 

type SASLAuth struct {
	Log         log.Logger
	OnlyFirstID bool
	EnableLogin bool

	AuthMap       module.Table
	AuthNormalize authz.NormalizeFunc

	Plain []module.PlainAuth
}

SASLAuth is a wrapper that initializes sasl.Server using authenticators that call maddy module objects.

It also handles username translation using auth_map and auth_map_normalize (AuthMap and AuthMapNormalize should be set).

It supports reporting of multiple authorization identities so multiple accounts can be associated with a single set of credentials.

func (*SASLAuth) AddProvider 

func (s *SASLAuth) AddProvider(m *config.Map, node config.Node) error

AddProvider adds the SASL authentication provider to its mapping by parsing the 'auth' configuration directive.

func (*SASLAuth) AuthPlain 

func (s *SASLAuth) AuthPlain(username, password string) error

func (*SASLAuth) CreateSASL 

func (s *SASLAuth) CreateSASL(mech string, remoteAddr net.Addr, successCb func(identity string, data ContextData) error) sasl.Server

CreateSASL creates the sasl.Server instance for the corresponding mechanism.

func (*SASLAuth) IsRegistrationOpen 

func (s *SASLAuth) IsRegistrationOpen() bool

func (*SASLAuth) IsTurnEnabled 

func (s *SASLAuth) IsTurnEnabled() bool

func (*SASLAuth) SASLMechanisms 

func (s *SASLAuth) SASLMechanisms() []string

Source Files

View all Source files

Directories

Path Synopsis
shadow package implements utilities for parsing and using shadow password database on Unix systems.
 shadow package implements utilities for parsing and using shadow password database on Unix systems.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.