/*
* ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001-2010 Alexander Barton (alex@barton.de)
+ * Copyright (c)2001-2011 Alexander Barton (alex@barton.de) and Contributors.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
#include "ngircd.h"
#include "conn-func.h"
+#include "class.h"
#include "conf.h"
#include "channel.h"
#include "io.h"
static bool Hello_User_PostAuth PARAMS(( CLIENT *Client ));
static void Kill_Nick PARAMS(( char *Nick, char *Reason ));
static void Introduce_Client PARAMS((CLIENT *To, CLIENT *Client, int Type));
-static void Reject_Client PARAMS((CLIENT *Client));
static void cb_introduceClient PARAMS((CLIENT *Client, CLIENT *Prefix,
void *i));
* passwords supplied are classified as "wrong". */
if(Client_Password(Client)[0] == '\0')
return Hello_User_PostAuth(Client);
- Reject_Client(Client);
+ Client_Reject(Client, "Non-empty password", false);
return DISCONNECTED;
}
+ if (Conf_PAMIsOptional && strcmp(Client_Password(Client), "") == 0) {
+ /* Clients are not required to send a password and to be PAM-
+ * authenticated at all. If not, they won't become "identified"
+ * and keep the "~" in their supplied user name.
+ * Therefore it is sensible to either set Conf_PAMisOptional or
+ * to enable IDENT lookups -- not both. */
+ return Hello_User_PostAuth(Client);
+ }
+
/* Fork child process for PAM authentication; and make sure that the
* process timeout is set higher than the login timeout! */
pid = Proc_Fork(Conn_GetProcStat(conn), pipefd,
} else {
/* Sub process */
Log_Init_Subprocess("Auth");
+ Conn_CloseAllSockets(NONE);
result = PAM_Authenticate(Client);
if (write(pipefd[1], &result, sizeof(result)) != sizeof(result))
Log_Subprocess(LOG_ERR,
/* Check global server password ... */
if (strcmp(Client_Password(Client), Conf_ServerPwd) != 0) {
/* Bad password! */
- Reject_Client(Client);
+ Client_Reject(Client, "Bad server password", false);
return DISCONNECTED;
}
return Hello_User_PostAuth(Client);
/* Read result from pipe */
len = Proc_Read(proc, &result, sizeof(result));
+ Proc_Close(proc);
if (len == 0)
return;
if (len != sizeof(result)) {
Log(LOG_CRIT, "Auth: Got malformed result!");
- Reject_Client(client);
+ Client_Reject(client, "Internal error", false);
return;
}
Client_SetUser(client, Client_OrigUser(client), true);
(void)Hello_User_PostAuth(client);
} else
- Reject_Client(client);
+ Client_Reject(client, "Bad password", false);
}
#endif
-/**
- * Reject a client because of wrong password.
- *
- * This function is called either when the global server password or a password
- * checked using PAM has been wrong.
- *
- * @param Client The client to reject.
- */
-static void
-Reject_Client(CLIENT *Client)
-{
- Log(LOG_ERR,
- "User \"%s\" rejected (connection %d): Access denied!",
- Client_Mask(Client), Client_Conn(Client));
- Conn_Close(Client_Conn(Client), NULL,
- "Access denied! Bad password?", true);
-}
-
-
/**
* Finish client registration.
*
static bool
Hello_User_PostAuth(CLIENT *Client)
{
+ assert(Client != NULL);
+
+ if (Class_HandleServerBans(Client) != CONNECTED)
+ return DISCONNECTED;
+
Introduce_Client(NULL, Client, CLIENT_USER);
if (!IRC_WriteStrClient