From 56b7e67307c1be110eaa4e84681bca03df21bd69 Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Sun, 1 Jan 2012 17:12:36 +0100 Subject: [PATCH] New configuration option "PAMIsOptional" When "PAMIsOptional" is set, clients not sending a password are still allowed to connect: they won't become "identified" and keep the "~" character prepended to their supplied user name. --- doc/sample-ngircd.conf.tmpl | 17 +++++++++++++++++ man/ngircd.conf.5.tmpl | 17 +++++++++++++++++ src/ngircd/conf.c | 6 ++++++ src/ngircd/conf.h | 3 +++ src/ngircd/irc-login.c | 9 +++++++++ 5 files changed, 52 insertions(+) diff --git a/doc/sample-ngircd.conf.tmpl b/doc/sample-ngircd.conf.tmpl index 26103a75..f696dc6d 100644 --- a/doc/sample-ngircd.conf.tmpl +++ b/doc/sample-ngircd.conf.tmpl @@ -140,6 +140,8 @@ ;DNS = yes # Do IDENT lookups if ngIRCd has been compiled with support for it. + # Users identified using IDENT are registered without the "~" character + # prepended to their user name. ;Ident = yes # Enhance user privacy slightly (useful for IRC server on TOR or I2P) @@ -160,8 +162,23 @@ ;OperServerMode = no # Use PAM if ngIRCd has been compiled with support for it. + # Users identified using PAM are registered without the "~" character + # prepended to their user name. ;PAM = yes + # When PAM is enabled, all clients are required to be authenticated + # using PAM; connecting to the server without successful PAM + # authentication isn't possible. + # If this option is set, clients not sending a password are still + # allowed to connect: they won't become "identified" and keep the "~" + # character prepended to their supplied user name. + # Please note: To make some use of this behavior, it most probably + # isn't useful to enable "Ident", "PAM" and "PAMIsOptional" at the + # same time, because you wouldn't be able to distinguish between + # Ident'ified and PAM-authenticated users: both don't have a "~" + # character prepended to their respective user names! + ;PAMIsOptional = no + # Allow Pre-Defined Channels only (see Section [Channels]) ;PredefChannelsOnly = no diff --git a/man/ngircd.conf.5.tmpl b/man/ngircd.conf.5.tmpl index 38ac40b7..59d31a36 100644 --- a/man/ngircd.conf.5.tmpl +++ b/man/ngircd.conf.5.tmpl @@ -244,6 +244,8 @@ Default: yes. \fBIdent\fR (boolean) If ngIRCd is compiled with IDENT support this can be used to disable IDENT lookups at run time. +Users identified using IDENT are registered without the "~" character +prepended to their user name. Default: yes. .TP \fBMorePrivacy\fR (boolean) @@ -274,8 +276,23 @@ only enable it if you have ircd-irc2 servers in your IRC network. If ngIRCd is compiled with PAM support this can be used to disable all calls to the PAM library at runtime; all users connecting without password are allowed to connect, all passwords given will fail. +Users identified using PAM are registered without the "~" character +prepended to their user name. Default: yes. .TP +\fBPAMIsOptional\fR (boolean) +When PAM is enabled, all clients are required to be authenticated using PAM; +connecting to the server without successful PAM authentication isn't possible. +If this option is set, clients not sending a password are still allowed to +connect: they won't become "identified" and keep the "~" character prepended +to their supplied user name. +Please note: +To make some use of this behavior, it most probably isn't useful to enable +"Ident", "PAM" and "PAMIsOptional" at the same time, because you wouldn't be +able to distinguish between Ident'ified and PAM-authenticated users: both +don't have a "~" character prepended to their respective user names! +Default: no. +.TP \fBPredefChannelsOnly\fR (boolean) If enabled, no new channels can be created. Useful if you do not want to have other channels than those defined in [Channel] sections in the configuration diff --git a/src/ngircd/conf.c b/src/ngircd/conf.c index b930b6c8..b0c7fb4b 100644 --- a/src/ngircd/conf.c +++ b/src/ngircd/conf.c @@ -373,6 +373,7 @@ Conf_Test( void ) printf(" OperServerMode = %s\n", yesno_to_str(Conf_OperServerMode)); #ifdef PAM printf(" PAM = %s\n", yesno_to_str(Conf_PAM)); + printf(" PAMIsOptional = %s\n", yesno_to_str(Conf_PAMIsOptional)); #endif printf(" PredefChannelsOnly = %s\n", yesno_to_str(Conf_PredefChannelsOnly)); #ifndef STRICT_RFC @@ -697,6 +698,7 @@ Set_Defaults(bool InitServers) #else Conf_PAM = false; #endif + Conf_PAMIsOptional = false; Conf_PredefChannelsOnly = false; #ifdef SYSLOG Conf_ScrubCTCP = false; @@ -1500,6 +1502,10 @@ Handle_OPTIONS(int Line, char *Var, char *Arg) WarnPAM(Line); return; } + if (strcasecmp(Var, "PAMIsOptional") == 0 ) { + Conf_PAMIsOptional = Check_ArgIsTrue(Arg); + return; + } if (strcasecmp(Var, "PredefChannelsOnly") == 0) { Conf_PredefChannelsOnly = Check_ArgIsTrue(Arg); return; diff --git a/src/ngircd/conf.h b/src/ngircd/conf.h index 5a6fff87..be19afc6 100644 --- a/src/ngircd/conf.h +++ b/src/ngircd/conf.h @@ -184,6 +184,9 @@ GLOBAL bool Conf_NoticeAuth; /** Enable all usage of PAM, even when compiled with support for it */ GLOBAL bool Conf_PAM; +/** Don't require all clients to send a password an to be PAM authenticated */ +GLOBAL bool Conf_PAMIsOptional; + /** Disable all CTCP commands except for /me ? */ GLOBAL bool Conf_ScrubCTCP; diff --git a/src/ngircd/irc-login.c b/src/ngircd/irc-login.c index 8d821608..bbb2f0d5 100644 --- a/src/ngircd/irc-login.c +++ b/src/ngircd/irc-login.c @@ -949,6 +949,15 @@ Hello_User(CLIENT * Client) return DISCONNECTED; } + if (Conf_PAMIsOptional && strcmp(Client_Password(Client), "") == 0) { + /* Clients are not required to send a password and to be PAM- + * authenticated at all. If not, they won't become "identified" + * and keep the "~" in their supplied user name. + * Therefore it is sensible to either set Conf_PAMisOptional or + * to enable IDENT lookups -- not both. */ + return Hello_User_PostAuth(Client); + } + /* Fork child process for PAM authentication; and make sure that the * process timeout is set higher than the login timeout! */ pid = Proc_Fork(Conn_GetProcStat(conn), pipefd, -- 2.39.2