New configuration option "PAMIsOptional"

When "PAMIsOptional" is set, clients not sending a password are still
allowed to connect: they won't become "identified" and keep the "~"
character prepended to their supplied user name.
This commit is contained in:
Alexander Barton 2012-01-01 17:12:36 +01:00
parent b681aa5b9f
commit 56b7e67307
5 changed files with 52 additions and 0 deletions

View File

@ -140,6 +140,8 @@
;DNS = yes
# Do IDENT lookups if ngIRCd has been compiled with support for it.
# Users identified using IDENT are registered without the "~" character
# prepended to their user name.
;Ident = yes
# Enhance user privacy slightly (useful for IRC server on TOR or I2P)
@ -160,8 +162,23 @@
;OperServerMode = no
# Use PAM if ngIRCd has been compiled with support for it.
# Users identified using PAM are registered without the "~" character
# prepended to their user name.
;PAM = yes
# When PAM is enabled, all clients are required to be authenticated
# using PAM; connecting to the server without successful PAM
# authentication isn't possible.
# If this option is set, clients not sending a password are still
# allowed to connect: they won't become "identified" and keep the "~"
# character prepended to their supplied user name.
# Please note: To make some use of this behavior, it most probably
# isn't useful to enable "Ident", "PAM" and "PAMIsOptional" at the
# same time, because you wouldn't be able to distinguish between
# Ident'ified and PAM-authenticated users: both don't have a "~"
# character prepended to their respective user names!
;PAMIsOptional = no
# Allow Pre-Defined Channels only (see Section [Channels])
;PredefChannelsOnly = no

View File

@ -244,6 +244,8 @@ Default: yes.
\fBIdent\fR (boolean)
If ngIRCd is compiled with IDENT support this can be used to disable IDENT
lookups at run time.
Users identified using IDENT are registered without the "~" character
prepended to their user name.
Default: yes.
.TP
\fBMorePrivacy\fR (boolean)
@ -274,8 +276,23 @@ only enable it if you have ircd-irc2 servers in your IRC network.
If ngIRCd is compiled with PAM support this can be used to disable all calls
to the PAM library at runtime; all users connecting without password are
allowed to connect, all passwords given will fail.
Users identified using PAM are registered without the "~" character
prepended to their user name.
Default: yes.
.TP
\fBPAMIsOptional\fR (boolean)
When PAM is enabled, all clients are required to be authenticated using PAM;
connecting to the server without successful PAM authentication isn't possible.
If this option is set, clients not sending a password are still allowed to
connect: they won't become "identified" and keep the "~" character prepended
to their supplied user name.
Please note:
To make some use of this behavior, it most probably isn't useful to enable
"Ident", "PAM" and "PAMIsOptional" at the same time, because you wouldn't be
able to distinguish between Ident'ified and PAM-authenticated users: both
don't have a "~" character prepended to their respective user names!
Default: no.
.TP
\fBPredefChannelsOnly\fR (boolean)
If enabled, no new channels can be created. Useful if you do not want to have
other channels than those defined in [Channel] sections in the configuration

View File

@ -373,6 +373,7 @@ Conf_Test( void )
printf(" OperServerMode = %s\n", yesno_to_str(Conf_OperServerMode));
#ifdef PAM
printf(" PAM = %s\n", yesno_to_str(Conf_PAM));
printf(" PAMIsOptional = %s\n", yesno_to_str(Conf_PAMIsOptional));
#endif
printf(" PredefChannelsOnly = %s\n", yesno_to_str(Conf_PredefChannelsOnly));
#ifndef STRICT_RFC
@ -697,6 +698,7 @@ Set_Defaults(bool InitServers)
#else
Conf_PAM = false;
#endif
Conf_PAMIsOptional = false;
Conf_PredefChannelsOnly = false;
#ifdef SYSLOG
Conf_ScrubCTCP = false;
@ -1500,6 +1502,10 @@ Handle_OPTIONS(int Line, char *Var, char *Arg)
WarnPAM(Line);
return;
}
if (strcasecmp(Var, "PAMIsOptional") == 0 ) {
Conf_PAMIsOptional = Check_ArgIsTrue(Arg);
return;
}
if (strcasecmp(Var, "PredefChannelsOnly") == 0) {
Conf_PredefChannelsOnly = Check_ArgIsTrue(Arg);
return;

View File

@ -184,6 +184,9 @@ GLOBAL bool Conf_NoticeAuth;
/** Enable all usage of PAM, even when compiled with support for it */
GLOBAL bool Conf_PAM;
/** Don't require all clients to send a password an to be PAM authenticated */
GLOBAL bool Conf_PAMIsOptional;
/** Disable all CTCP commands except for /me ? */
GLOBAL bool Conf_ScrubCTCP;

View File

@ -949,6 +949,15 @@ Hello_User(CLIENT * Client)
return DISCONNECTED;
}
if (Conf_PAMIsOptional && strcmp(Client_Password(Client), "") == 0) {
/* Clients are not required to send a password and to be PAM-
* authenticated at all. If not, they won't become "identified"
* and keep the "~" in their supplied user name.
* Therefore it is sensible to either set Conf_PAMisOptional or
* to enable IDENT lookups -- not both. */
return Hello_User_PostAuth(Client);
}
/* Fork child process for PAM authentication; and make sure that the
* process timeout is set higher than the login timeout! */
pid = Proc_Fork(Conn_GetProcStat(conn), pipefd,