From 3092ca0ca530ec78309a5f90d06f24bfcc3b4c6f Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Fri, 28 Feb 2020 00:31:34 +0300 Subject: [PATCH] Lift restrictions on authentication credentials in shadow/pam modules With new authorization/authentication identities split, it is possible to have non-email authentication identity while using email authorization identity. --- docs/man/maddy-auth.5.scd | 14 ++------------ internal/auth/pam/module.go | 24 +++++------------------- internal/auth/shadow/module.go | 10 ++-------- 3 files changed, 9 insertions(+), 39 deletions(-) diff --git a/docs/man/maddy-auth.5.scd b/docs/man/maddy-auth.5.scd index 3f214d68..df52ac59 100644 --- a/docs/man/maddy-auth.5.scd +++ b/docs/man/maddy-auth.5.scd @@ -16,7 +16,8 @@ Most likely, you are going to use these modules with 'auth' directive of IMAP sql module described in *maddy-storage*(5) can also be used as a authentication backend. -The authorization identtity is the same as authorization identity. +The authorization identity is required to be a valid RFC 5321 e-mail address. +It is returned as the authorization identity. # External authentication module (extauth) @@ -78,13 +79,6 @@ maddy should be built with libpam build tag to use this module without go get -tags 'libpam' ... ``` -By default, when checking with the PAM database, the username provided by -client is expected to be a RFC 5321 e-mail address and the domain part and -at-sign is removed. To disable that behavior and pass username as-is to -libpam, set 'expect_address' to 'no'. Note that currently implemented storage -backends require full e-mail address as an account name, so this is still not -possible to use accounts with non-address names. - The authorization identtity is the same as authorization identity. ``` @@ -126,10 +120,6 @@ chmod u+xs,g+x,o-x /usr/lib/maddy/maddy-pam-helper Implements authentication by reading /etc/shadow. Alternatively it can be configured to use helper binary like extauth does. -When checking with the PAM database, the username provided by client is -expected to be a RFC 5321 e-mail address and the domain part and at-sign is -removed. - The authorization identtity is the same as authorization identity. ``` diff --git a/internal/auth/pam/module.go b/internal/auth/pam/module.go index 84d8e1e8..ca423408 100644 --- a/internal/auth/pam/module.go +++ b/internal/auth/pam/module.go @@ -6,7 +6,6 @@ import ( "os" "path/filepath" - "github.com/foxcpp/maddy/internal/address" "github.com/foxcpp/maddy/internal/auth/external" "github.com/foxcpp/maddy/internal/config" "github.com/foxcpp/maddy/internal/log" @@ -14,10 +13,9 @@ import ( ) type Auth struct { - instName string - useHelper bool - helperPath string - expectAddress bool + instName string + useHelper bool + helperPath string Log log.Logger } @@ -43,7 +41,6 @@ func (a *Auth) InstanceName() string { func (a *Auth) Init(cfg *config.Map) error { cfg.Bool("debug", true, false, &a.Log.Debug) cfg.Bool("use_helper", false, false, &a.useHelper) - cfg.Bool("expect_address", false, false, &a.expectAddress) if _, err := cfg.Process(); err != nil { return err } @@ -62,23 +59,12 @@ func (a *Auth) Init(cfg *config.Map) error { } func (a *Auth) AuthPlain(username, password string) ([]string, error) { - var accountName string - if a.expectAddress { - var err error - accountName, _, err = address.Split(username) - if err != nil { - return nil, err - } - } else { - accountName = username - } - if a.useHelper { - if err := external.AuthUsingHelper(a.helperPath, accountName, password); err != nil { + if err := external.AuthUsingHelper(a.helperPath, username, password); err != nil { return nil, err } } - err := runPAMAuth(accountName, password) + err := runPAMAuth(username, password) if err != nil { return nil, err } diff --git a/internal/auth/shadow/module.go b/internal/auth/shadow/module.go index 78dce319..5812b70e 100644 --- a/internal/auth/shadow/module.go +++ b/internal/auth/shadow/module.go @@ -8,7 +8,6 @@ import ( "os" "path/filepath" - "github.com/foxcpp/maddy/internal/address" "github.com/foxcpp/maddy/internal/auth/external" "github.com/foxcpp/maddy/internal/config" "github.com/foxcpp/maddy/internal/log" @@ -68,16 +67,11 @@ func (a *Auth) Init(cfg *config.Map) error { } func (a *Auth) AuthPlain(username, password string) ([]string, error) { - accountName, _, err := address.Split(username) - if err != nil { - return nil, err - } - if a.useHelper { - return []string{username}, external.AuthUsingHelper(a.helperPath, accountName, password) + return []string{username}, external.AuthUsingHelper(a.helperPath, username, password) } - ent, err := Lookup(accountName) + ent, err := Lookup(username) if err != nil { return nil, err }