New configuration option "PAMIsOptional"
When "PAMIsOptional" is set, clients not sending a password are still allowed to connect: they won't become "identified" and keep the "~" character prepended to their supplied user name.
This commit is contained in:
parent
b681aa5b9f
commit
56b7e67307
|
@ -140,6 +140,8 @@
|
|||
;DNS = yes
|
||||
|
||||
# Do IDENT lookups if ngIRCd has been compiled with support for it.
|
||||
# Users identified using IDENT are registered without the "~" character
|
||||
# prepended to their user name.
|
||||
;Ident = yes
|
||||
|
||||
# Enhance user privacy slightly (useful for IRC server on TOR or I2P)
|
||||
|
@ -160,8 +162,23 @@
|
|||
;OperServerMode = no
|
||||
|
||||
# Use PAM if ngIRCd has been compiled with support for it.
|
||||
# Users identified using PAM are registered without the "~" character
|
||||
# prepended to their user name.
|
||||
;PAM = yes
|
||||
|
||||
# When PAM is enabled, all clients are required to be authenticated
|
||||
# using PAM; connecting to the server without successful PAM
|
||||
# authentication isn't possible.
|
||||
# If this option is set, clients not sending a password are still
|
||||
# allowed to connect: they won't become "identified" and keep the "~"
|
||||
# character prepended to their supplied user name.
|
||||
# Please note: To make some use of this behavior, it most probably
|
||||
# isn't useful to enable "Ident", "PAM" and "PAMIsOptional" at the
|
||||
# same time, because you wouldn't be able to distinguish between
|
||||
# Ident'ified and PAM-authenticated users: both don't have a "~"
|
||||
# character prepended to their respective user names!
|
||||
;PAMIsOptional = no
|
||||
|
||||
# Allow Pre-Defined Channels only (see Section [Channels])
|
||||
;PredefChannelsOnly = no
|
||||
|
||||
|
|
|
@ -244,6 +244,8 @@ Default: yes.
|
|||
\fBIdent\fR (boolean)
|
||||
If ngIRCd is compiled with IDENT support this can be used to disable IDENT
|
||||
lookups at run time.
|
||||
Users identified using IDENT are registered without the "~" character
|
||||
prepended to their user name.
|
||||
Default: yes.
|
||||
.TP
|
||||
\fBMorePrivacy\fR (boolean)
|
||||
|
@ -274,8 +276,23 @@ only enable it if you have ircd-irc2 servers in your IRC network.
|
|||
If ngIRCd is compiled with PAM support this can be used to disable all calls
|
||||
to the PAM library at runtime; all users connecting without password are
|
||||
allowed to connect, all passwords given will fail.
|
||||
Users identified using PAM are registered without the "~" character
|
||||
prepended to their user name.
|
||||
Default: yes.
|
||||
.TP
|
||||
\fBPAMIsOptional\fR (boolean)
|
||||
When PAM is enabled, all clients are required to be authenticated using PAM;
|
||||
connecting to the server without successful PAM authentication isn't possible.
|
||||
If this option is set, clients not sending a password are still allowed to
|
||||
connect: they won't become "identified" and keep the "~" character prepended
|
||||
to their supplied user name.
|
||||
Please note:
|
||||
To make some use of this behavior, it most probably isn't useful to enable
|
||||
"Ident", "PAM" and "PAMIsOptional" at the same time, because you wouldn't be
|
||||
able to distinguish between Ident'ified and PAM-authenticated users: both
|
||||
don't have a "~" character prepended to their respective user names!
|
||||
Default: no.
|
||||
.TP
|
||||
\fBPredefChannelsOnly\fR (boolean)
|
||||
If enabled, no new channels can be created. Useful if you do not want to have
|
||||
other channels than those defined in [Channel] sections in the configuration
|
||||
|
|
|
@ -373,6 +373,7 @@ Conf_Test( void )
|
|||
printf(" OperServerMode = %s\n", yesno_to_str(Conf_OperServerMode));
|
||||
#ifdef PAM
|
||||
printf(" PAM = %s\n", yesno_to_str(Conf_PAM));
|
||||
printf(" PAMIsOptional = %s\n", yesno_to_str(Conf_PAMIsOptional));
|
||||
#endif
|
||||
printf(" PredefChannelsOnly = %s\n", yesno_to_str(Conf_PredefChannelsOnly));
|
||||
#ifndef STRICT_RFC
|
||||
|
@ -697,6 +698,7 @@ Set_Defaults(bool InitServers)
|
|||
#else
|
||||
Conf_PAM = false;
|
||||
#endif
|
||||
Conf_PAMIsOptional = false;
|
||||
Conf_PredefChannelsOnly = false;
|
||||
#ifdef SYSLOG
|
||||
Conf_ScrubCTCP = false;
|
||||
|
@ -1500,6 +1502,10 @@ Handle_OPTIONS(int Line, char *Var, char *Arg)
|
|||
WarnPAM(Line);
|
||||
return;
|
||||
}
|
||||
if (strcasecmp(Var, "PAMIsOptional") == 0 ) {
|
||||
Conf_PAMIsOptional = Check_ArgIsTrue(Arg);
|
||||
return;
|
||||
}
|
||||
if (strcasecmp(Var, "PredefChannelsOnly") == 0) {
|
||||
Conf_PredefChannelsOnly = Check_ArgIsTrue(Arg);
|
||||
return;
|
||||
|
|
|
@ -184,6 +184,9 @@ GLOBAL bool Conf_NoticeAuth;
|
|||
/** Enable all usage of PAM, even when compiled with support for it */
|
||||
GLOBAL bool Conf_PAM;
|
||||
|
||||
/** Don't require all clients to send a password an to be PAM authenticated */
|
||||
GLOBAL bool Conf_PAMIsOptional;
|
||||
|
||||
/** Disable all CTCP commands except for /me ? */
|
||||
GLOBAL bool Conf_ScrubCTCP;
|
||||
|
||||
|
|
|
@ -949,6 +949,15 @@ Hello_User(CLIENT * Client)
|
|||
return DISCONNECTED;
|
||||
}
|
||||
|
||||
if (Conf_PAMIsOptional && strcmp(Client_Password(Client), "") == 0) {
|
||||
/* Clients are not required to send a password and to be PAM-
|
||||
* authenticated at all. If not, they won't become "identified"
|
||||
* and keep the "~" in their supplied user name.
|
||||
* Therefore it is sensible to either set Conf_PAMisOptional or
|
||||
* to enable IDENT lookups -- not both. */
|
||||
return Hello_User_PostAuth(Client);
|
||||
}
|
||||
|
||||
/* Fork child process for PAM authentication; and make sure that the
|
||||
* process timeout is set higher than the login timeout! */
|
||||
pid = Proc_Fork(Conn_GetProcStat(conn), pipefd,
|
||||
|
|
Loading…
Reference in New Issue