commit - b681aa5b9f985247df31772282e520479ffb2ece
commit + 56b7e67307c1be110eaa4e84681bca03df21bd69
blob - 26103a759b938ef9fdc1739522b64462de5baaae
blob + f696dc6de0a9d2335d20ded837ad4990f15367d2
--- doc/sample-ngircd.conf.tmpl
+++ doc/sample-ngircd.conf.tmpl
@@ -140,6 +140,8 @@
 	;DNS = yes
 
 	# Do IDENT lookups if ngIRCd has been compiled with support for it.
+	# Users identified using IDENT are registered without the "~" character
+	# prepended to their user name.
 	;Ident = yes
 
 	# Enhance user privacy slightly (useful for IRC server on TOR or I2P)
@@ -160,8 +162,23 @@
 	;OperServerMode = no
 
 	# Use PAM if ngIRCd has been compiled with support for it.
+	# Users identified using PAM are registered without the "~" character
+	# prepended to their user name.
 	;PAM = yes
 
+	# When PAM is enabled, all clients are required to be authenticated
+	# using PAM; connecting to the server without successful PAM
+	# authentication isn't possible.
+	# If this option is set, clients not sending a password are still
+	# allowed to connect: they won't become "identified" and keep the "~"
+	# character prepended to their supplied user name.
+	# Please note: To make some use of this behavior, it most probably
+	# isn't useful to enable "Ident", "PAM" and "PAMIsOptional" at the
+	# same time, because you wouldn't be able to distinguish between
+	# Ident'ified and PAM-authenticated users: both don't have a "~"
+	# character prepended to their respective user names!
+	;PAMIsOptional = no
+
 	# Allow Pre-Defined Channels only (see Section [Channels])
 	;PredefChannelsOnly = no
 
blob - 38ac40b7965a4af72f5e6a7362c39c727a8733d4
blob + 59d31a366f0515b732f6204c8c8c9fcd468d0968
--- man/ngircd.conf.5.tmpl
+++ man/ngircd.conf.5.tmpl
@@ -244,6 +244,8 @@ Default: yes.
 \fBIdent\fR (boolean)
 If ngIRCd is compiled with IDENT support this can be used to disable IDENT
 lookups at run time.
+Users identified using IDENT are registered without the "~" character
+prepended to their user name.
 Default: yes.
 .TP
 \fBMorePrivacy\fR (boolean)
@@ -274,8 +276,23 @@ only enable it if you have ircd-irc2 servers in your I
 If ngIRCd is compiled with PAM support this can be used to disable all calls
 to the PAM library at runtime; all users connecting without password are
 allowed to connect, all passwords given will fail.
+Users identified using PAM are registered without the "~" character
+prepended to their user name.
 Default: yes.
 .TP
+\fBPAMIsOptional\fR (boolean)
+When PAM is enabled, all clients are required to be authenticated using PAM;
+connecting to the server without successful PAM authentication isn't possible.
+If this option is set, clients not sending a password are still allowed to
+connect: they won't become "identified" and keep the "~" character prepended
+to their supplied user name.
+Please note:
+To make some use of this behavior, it most probably isn't useful to enable
+"Ident", "PAM" and "PAMIsOptional" at the same time, because you wouldn't be
+able to distinguish between Ident'ified and PAM-authenticated users: both
+don't have a "~" character prepended to their respective user names!
+Default: no.
+.TP
 \fBPredefChannelsOnly\fR (boolean)
 If enabled, no new channels can be created. Useful if you do not want to have
 other channels than those defined in [Channel] sections in the configuration
blob - b930b6c887d3237fdb1accaded002b6e33a2c8ac
blob + b0c7fb4bf0c50a79b2da6ed158c8161894636c62
--- src/ngircd/conf.c
+++ src/ngircd/conf.c
@@ -373,6 +373,7 @@ Conf_Test( void )
 	printf("  OperServerMode = %s\n", yesno_to_str(Conf_OperServerMode));
 #ifdef PAM
 	printf("  PAM = %s\n", yesno_to_str(Conf_PAM));
+	printf("  PAMIsOptional = %s\n", yesno_to_str(Conf_PAMIsOptional));
 #endif
 	printf("  PredefChannelsOnly = %s\n", yesno_to_str(Conf_PredefChannelsOnly));
 #ifndef STRICT_RFC
@@ -697,6 +698,7 @@ Set_Defaults(bool InitServers)
 #else
 	Conf_PAM = false;
 #endif
+	Conf_PAMIsOptional = false;
 	Conf_PredefChannelsOnly = false;
 #ifdef SYSLOG
 	Conf_ScrubCTCP = false;
@@ -1498,6 +1500,10 @@ Handle_OPTIONS(int Line, char *Var, char *Arg)
 	if (strcasecmp(Var, "PAM") == 0) {
 		Conf_PAM = Check_ArgIsTrue(Arg);
 		WarnPAM(Line);
+		return;
+	}
+	if (strcasecmp(Var, "PAMIsOptional") == 0 ) {
+		Conf_PAMIsOptional = Check_ArgIsTrue(Arg);
 		return;
 	}
 	if (strcasecmp(Var, "PredefChannelsOnly") == 0) {
blob - 5a6fff871206cddfbdd10b4e346884220c43d1e5
blob + be19afc692f000cb3a530f3f5468bfb03cf79c19
--- src/ngircd/conf.h
+++ src/ngircd/conf.h
@@ -184,6 +184,9 @@ GLOBAL bool Conf_NoticeAuth;
 /** Enable all usage of PAM, even when compiled with support for it */
 GLOBAL bool Conf_PAM;
 
+/** Don't require all clients to send a password an to be PAM authenticated */
+GLOBAL bool Conf_PAMIsOptional;
+
 /** Disable all CTCP commands except for /me ? */
 GLOBAL bool Conf_ScrubCTCP;
 
blob - 8d821608aacdc9bcc0f093b91fdc064bc6a77cdd
blob + bbb2f0d5e430c88a904514ff77bbfa3d3ed49b92
--- src/ngircd/irc-login.c
+++ src/ngircd/irc-login.c
@@ -949,6 +949,15 @@ Hello_User(CLIENT * Client)
 		return DISCONNECTED;
 	}
 
+	if (Conf_PAMIsOptional && strcmp(Client_Password(Client), "") == 0) {
+		/* Clients are not required to send a password and to be PAM-
+		 * authenticated at all. If not, they won't become "identified"
+		 * and keep the "~" in their supplied user name.
+		 * Therefore it is sensible to either set Conf_PAMisOptional or
+		 * to enable IDENT lookups -- not both. */
+		return Hello_User_PostAuth(Client);
+	}
+
 	/* Fork child process for PAM authentication; and make sure that the
 	 * process timeout is set higher than the login timeout! */
 	pid = Proc_Fork(Conn_GetProcStat(conn), pipefd,