in pam_ussh.go [219:256]
func pamAuthenticate(w io.Writer, uid int, username string, argv []string) AuthResult {
runtime.GOMAXPROCS(1)
userCA := defaultUserCA
group := defaultGroup
authorizedPrincipals := make(map[string]struct{})
for _, arg := range argv {
opt := strings.Split(arg, "=")
switch opt[0] {
case "ca_file":
userCA = opt[1]
pamLog("ca_file set to %s", userCA)
case "group":
group = opt[1]
pamLog("group set to %s", group)
case "authorized_principals":
for _, s := range strings.Split(opt[1], ",") {
authorizedPrincipals[s] = struct{}{}
}
case "authorized_principals_file":
ap, err := loadValidPrincipals(opt[1])
if err != nil {
pamLog("%v", err)
return AuthError
}
authorizedPrincipals = ap
default:
pamLog("unkown option: %s\n", opt[0])
}
}
if len(group) == 0 || isMemberOf(group) {
return authenticate(w, uid, username, userCA, authorizedPrincipals)
}
return AuthSuccess
}