From b0b6fc188cd539d484dc04decee0ae9c39f7e16c Mon Sep 17 00:00:00 2001
From: Armaan Tobaccowalla <tobaccow@deshaw.com>
Date: Tue, 17 Aug 2021 11:08:01 -0400
Subject: [PATCH] Conditionally skip username check

Skip checking if the username exists within the SSH certificiate
principals if a manual set of valid principals is defined
---
 pam_ussh.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/pam_ussh.go b/pam_ussh.go
index 11ce4d0..4294fc5 100644
--- a/pam_ussh.go
+++ b/pam_ussh.go
@@ -155,7 +155,16 @@ func authenticate(w io.Writer, uid int, username, ca string, principals map[stri
 			continue
 		}
 
-		if err := c.CheckCert(username, cert); err != nil {
+		// If a manual set of principals is provided, don't require
+		// the username to be in the certificate's principals
+		// Principals are verified at the end of this function
+		testedPrincipal := username
+		if len(principals) > 0 && len(cert.ValidPrincipals) > 0 {
+			testedPrincipal = cert.ValidPrincipals[0]
+		}
+
+		if err := c.CheckCert(testedPrincipal, cert); err != nil {
+			pamLog("Error validating cert: %v\n", err)
 			continue
 		}