commit 56b7e67307c1be110eaa4e84681bca03df21bd69 from: Alexander Barton date: Sun Jan 01 16:12:36 2012 UTC New configuration option "PAMIsOptional" When "PAMIsOptional" is set, clients not sending a password are still allowed to connect: they won't become "identified" and keep the "~" character prepended to their supplied user name. commit - b681aa5b9f985247df31772282e520479ffb2ece commit + 56b7e67307c1be110eaa4e84681bca03df21bd69 blob - 26103a759b938ef9fdc1739522b64462de5baaae blob + f696dc6de0a9d2335d20ded837ad4990f15367d2 --- doc/sample-ngircd.conf.tmpl +++ doc/sample-ngircd.conf.tmpl @@ -140,6 +140,8 @@ ;DNS = yes # Do IDENT lookups if ngIRCd has been compiled with support for it. + # Users identified using IDENT are registered without the "~" character + # prepended to their user name. ;Ident = yes # Enhance user privacy slightly (useful for IRC server on TOR or I2P) @@ -160,8 +162,23 @@ ;OperServerMode = no # Use PAM if ngIRCd has been compiled with support for it. + # Users identified using PAM are registered without the "~" character + # prepended to their user name. ;PAM = yes + # When PAM is enabled, all clients are required to be authenticated + # using PAM; connecting to the server without successful PAM + # authentication isn't possible. + # If this option is set, clients not sending a password are still + # allowed to connect: they won't become "identified" and keep the "~" + # character prepended to their supplied user name. + # Please note: To make some use of this behavior, it most probably + # isn't useful to enable "Ident", "PAM" and "PAMIsOptional" at the + # same time, because you wouldn't be able to distinguish between + # Ident'ified and PAM-authenticated users: both don't have a "~" + # character prepended to their respective user names! + ;PAMIsOptional = no + # Allow Pre-Defined Channels only (see Section [Channels]) ;PredefChannelsOnly = no blob - 38ac40b7965a4af72f5e6a7362c39c727a8733d4 blob + 59d31a366f0515b732f6204c8c8c9fcd468d0968 --- man/ngircd.conf.5.tmpl +++ man/ngircd.conf.5.tmpl @@ -244,6 +244,8 @@ Default: yes. \fBIdent\fR (boolean) If ngIRCd is compiled with IDENT support this can be used to disable IDENT lookups at run time. +Users identified using IDENT are registered without the "~" character +prepended to their user name. Default: yes. .TP \fBMorePrivacy\fR (boolean) @@ -274,8 +276,23 @@ only enable it if you have ircd-irc2 servers in your I If ngIRCd is compiled with PAM support this can be used to disable all calls to the PAM library at runtime; all users connecting without password are allowed to connect, all passwords given will fail. +Users identified using PAM are registered without the "~" character +prepended to their user name. Default: yes. .TP +\fBPAMIsOptional\fR (boolean) +When PAM is enabled, all clients are required to be authenticated using PAM; +connecting to the server without successful PAM authentication isn't possible. +If this option is set, clients not sending a password are still allowed to +connect: they won't become "identified" and keep the "~" character prepended +to their supplied user name. +Please note: +To make some use of this behavior, it most probably isn't useful to enable +"Ident", "PAM" and "PAMIsOptional" at the same time, because you wouldn't be +able to distinguish between Ident'ified and PAM-authenticated users: both +don't have a "~" character prepended to their respective user names! +Default: no. +.TP \fBPredefChannelsOnly\fR (boolean) If enabled, no new channels can be created. Useful if you do not want to have other channels than those defined in [Channel] sections in the configuration blob - b930b6c887d3237fdb1accaded002b6e33a2c8ac blob + b0c7fb4bf0c50a79b2da6ed158c8161894636c62 --- src/ngircd/conf.c +++ src/ngircd/conf.c @@ -373,6 +373,7 @@ Conf_Test( void ) printf(" OperServerMode = %s\n", yesno_to_str(Conf_OperServerMode)); #ifdef PAM printf(" PAM = %s\n", yesno_to_str(Conf_PAM)); + printf(" PAMIsOptional = %s\n", yesno_to_str(Conf_PAMIsOptional)); #endif printf(" PredefChannelsOnly = %s\n", yesno_to_str(Conf_PredefChannelsOnly)); #ifndef STRICT_RFC @@ -697,6 +698,7 @@ Set_Defaults(bool InitServers) #else Conf_PAM = false; #endif + Conf_PAMIsOptional = false; Conf_PredefChannelsOnly = false; #ifdef SYSLOG Conf_ScrubCTCP = false; @@ -1498,6 +1500,10 @@ Handle_OPTIONS(int Line, char *Var, char *Arg) if (strcasecmp(Var, "PAM") == 0) { Conf_PAM = Check_ArgIsTrue(Arg); WarnPAM(Line); + return; + } + if (strcasecmp(Var, "PAMIsOptional") == 0 ) { + Conf_PAMIsOptional = Check_ArgIsTrue(Arg); return; } if (strcasecmp(Var, "PredefChannelsOnly") == 0) { blob - 5a6fff871206cddfbdd10b4e346884220c43d1e5 blob + be19afc692f000cb3a530f3f5468bfb03cf79c19 --- src/ngircd/conf.h +++ src/ngircd/conf.h @@ -184,6 +184,9 @@ GLOBAL bool Conf_NoticeAuth; /** Enable all usage of PAM, even when compiled with support for it */ GLOBAL bool Conf_PAM; +/** Don't require all clients to send a password an to be PAM authenticated */ +GLOBAL bool Conf_PAMIsOptional; + /** Disable all CTCP commands except for /me ? */ GLOBAL bool Conf_ScrubCTCP; blob - 8d821608aacdc9bcc0f093b91fdc064bc6a77cdd blob + bbb2f0d5e430c88a904514ff77bbfa3d3ed49b92 --- src/ngircd/irc-login.c +++ src/ngircd/irc-login.c @@ -949,6 +949,15 @@ Hello_User(CLIENT * Client) return DISCONNECTED; } + if (Conf_PAMIsOptional && strcmp(Client_Password(Client), "") == 0) { + /* Clients are not required to send a password and to be PAM- + * authenticated at all. If not, they won't become "identified" + * and keep the "~" in their supplied user name. + * Therefore it is sensible to either set Conf_PAMisOptional or + * to enable IDENT lookups -- not both. */ + return Hello_User_PostAuth(Client); + } + /* Fork child process for PAM authentication; and make sure that the * process timeout is set higher than the login timeout! */ pid = Proc_Fork(Conn_GetProcStat(conn), pipefd,