X-Git-Url: https://arthur.barton.de/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=src%2Fngircd%2Firc-login.c;h=54818fe4879f05d2d05f438cb3e98d646818641f;hb=6a308fcb42eae1de168699ed432b49b610073ede;hp=0577cd9c0a94877532d7d594a2bb780e62c96598;hpb=69803d6ff1ac8deb95e023bda6ad2aef435dc69a;p=ngircd-alex.git diff --git a/src/ngircd/irc-login.c b/src/ngircd/irc-login.c index 0577cd9c..54818fe4 100644 --- a/src/ngircd/irc-login.c +++ b/src/ngircd/irc-login.c @@ -1,6 +1,6 @@ /* * ngIRCd -- The Next Generation IRC Daemon - * Copyright (c)2001-2010 Alexander Barton (alex@barton.de) + * Copyright (c)2001-2011 Alexander Barton (alex@barton.de) and Contributors. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -27,6 +27,7 @@ #include "ngircd.h" #include "conn-func.h" +#include "class.h" #include "conf.h" #include "channel.h" #include "io.h" @@ -46,7 +47,6 @@ static bool Hello_User PARAMS(( CLIENT *Client )); static bool Hello_User_PostAuth PARAMS(( CLIENT *Client )); static void Kill_Nick PARAMS(( char *Nick, char *Reason )); static void Introduce_Client PARAMS((CLIENT *To, CLIENT *Client, int Type)); -static void Reject_Client PARAMS((CLIENT *Client)); static void cb_introduceClient PARAMS((CLIENT *Client, CLIENT *Prefix, void *i)); @@ -944,10 +944,19 @@ Hello_User(CLIENT * Client) * passwords supplied are classified as "wrong". */ if(Client_Password(Client)[0] == '\0') return Hello_User_PostAuth(Client); - Reject_Client(Client); + Client_Reject(Client, "Non-empty password", false); return DISCONNECTED; } + if (Conf_PAMIsOptional && strcmp(Client_Password(Client), "") == 0) { + /* Clients are not required to send a password and to be PAM- + * authenticated at all. If not, they won't become "identified" + * and keep the "~" in their supplied user name. + * Therefore it is sensible to either set Conf_PAMisOptional or + * to enable IDENT lookups -- not both. */ + return Hello_User_PostAuth(Client); + } + /* Fork child process for PAM authentication; and make sure that the * process timeout is set higher than the login timeout! */ pid = Proc_Fork(Conn_GetProcStat(conn), pipefd, @@ -959,6 +968,7 @@ Hello_User(CLIENT * Client) } else { /* Sub process */ Log_Init_Subprocess("Auth"); + Conn_CloseAllSockets(NONE); result = PAM_Authenticate(Client); if (write(pipefd[1], &result, sizeof(result)) != sizeof(result)) Log_Subprocess(LOG_ERR, @@ -970,7 +980,7 @@ Hello_User(CLIENT * Client) /* Check global server password ... */ if (strcmp(Client_Password(Client), Conf_ServerPwd) != 0) { /* Bad password! */ - Reject_Client(Client); + Client_Reject(Client, "Bad server password", false); return DISCONNECTED; } return Hello_User_PostAuth(Client); @@ -1015,7 +1025,7 @@ cb_Read_Auth_Result(int r_fd, UNUSED short events) if (len != sizeof(result)) { Log(LOG_CRIT, "Auth: Got malformed result!"); - Reject_Client(client); + Client_Reject(client, "Internal error", false); return; } @@ -1023,31 +1033,12 @@ cb_Read_Auth_Result(int r_fd, UNUSED short events) Client_SetUser(client, Client_OrigUser(client), true); (void)Hello_User_PostAuth(client); } else - Reject_Client(client); + Client_Reject(client, "Bad password", false); } #endif -/** - * Reject a client because of wrong password. - * - * This function is called either when the global server password or a password - * checked using PAM has been wrong. - * - * @param Client The client to reject. - */ -static void -Reject_Client(CLIENT *Client) -{ - Log(LOG_ERR, - "User \"%s\" rejected (connection %d): Access denied!", - Client_Mask(Client), Client_Conn(Client)); - Conn_Close(Client_Conn(Client), NULL, - "Access denied! Bad password?", true); -} - - /** * Finish client registration. * @@ -1060,6 +1051,11 @@ Reject_Client(CLIENT *Client) static bool Hello_User_PostAuth(CLIENT *Client) { + assert(Client != NULL); + + if (Class_HandleServerBans(Client) != CONNECTED) + return DISCONNECTED; + Introduce_Client(NULL, Client, CLIENT_USER); if (!IRC_WriteStrClient