Add PAMServiceName setting to specify the used PAM configuration

This setting allows to run multiple ngIRCd instances with
PAM configurations on each instance.
If one sets it to "ngircd-foo", PAM will use `/etc/pam.d/ngircd-foo`
instead of the default `/etc/pam.d/ngircd`.
This commit is contained in:
Christian Aistleitner 2016-06-05 12:46:56 +02:00
parent a93247d32f
commit e84000f7b8
6 changed files with 33 additions and 1 deletions

View File

@ -226,6 +226,15 @@
# character prepended to their respective user names! # character prepended to their respective user names!
;PAMIsOptional = no ;PAMIsOptional = no
# When PAM is enabled, this value determines the used PAM
# configuration.
# This setting allows to run multiple ngIRCd instances with
# different PAM configurations on each instance.
# If you set it to "ngircd-foo", PAM will use
# /etc/pam.d/ngircd-foo instead of the default
# /etc/pam.d/ngircd.
;PAMServiceName = ngircd
# Let ngIRCd send an "authentication PING" when a new client connects, # Let ngIRCd send an "authentication PING" when a new client connects,
# and register this client only after receiving the corresponding # and register this client only after receiving the corresponding
# "PONG" reply. # "PONG" reply.

View File

@ -339,6 +339,14 @@ able to distinguish between Ident'ified and PAM-authenticated users: both
don't have a "~" character prepended to their respective user names! don't have a "~" character prepended to their respective user names!
Default: no. Default: no.
.TP .TP
\fBPAMServiceName\fR (string)
When PAM is enabled, this value determines the used PAM configuration.
This setting allows to run multiple ngIRCd instances with different
PAM configurations on each instance. If you set it to "ngircd-foo",
PAM will use /etc/pam.d/ngircd-foo instead of the default
/etc/pam.d/ngircd.
Default: ngircd.
.TP
\fBRequireAuthPing\fR (boolean) \fBRequireAuthPing\fR (boolean)
Let ngIRCd send an "authentication PING" when a new client connects, and Let ngIRCd send an "authentication PING" when a new client connects, and
register this client only after receiving the corresponding "PONG" reply. register this client only after receiving the corresponding "PONG" reply.

View File

@ -419,6 +419,7 @@ Conf_Test( void )
#ifdef PAM #ifdef PAM
printf(" PAM = %s\n", yesno_to_str(Conf_PAM)); printf(" PAM = %s\n", yesno_to_str(Conf_PAM));
printf(" PAMIsOptional = %s\n", yesno_to_str(Conf_PAMIsOptional)); printf(" PAMIsOptional = %s\n", yesno_to_str(Conf_PAMIsOptional));
printf(" PAMServiceName = %s\n", Conf_PAMServiceName);
#endif #endif
#ifndef STRICT_RFC #ifndef STRICT_RFC
printf(" RequireAuthPing = %s\n", yesno_to_str(Conf_AuthPing)); printf(" RequireAuthPing = %s\n", yesno_to_str(Conf_AuthPing));
@ -807,6 +808,7 @@ Set_Defaults(bool InitServers)
Conf_PAM = false; Conf_PAM = false;
#endif #endif
Conf_PAMIsOptional = false; Conf_PAMIsOptional = false;
strcpy(Conf_PAMServiceName, "ngircd");
Conf_ScrubCTCP = false; Conf_ScrubCTCP = false;
#ifdef SYSLOG #ifdef SYSLOG
#ifdef LOG_LOCAL5 #ifdef LOG_LOCAL5
@ -1833,6 +1835,12 @@ Handle_OPTIONS(const char *File, int Line, char *Var, char *Arg)
Conf_PAMIsOptional = Check_ArgIsTrue(Arg); Conf_PAMIsOptional = Check_ArgIsTrue(Arg);
return; return;
} }
if (strcasecmp(Var, "PAMServiceName") == 0) {
len = strlcpy(Conf_PAMServiceName, Arg, sizeof(Conf_PAMServiceName));
if (len >= sizeof(Conf_PAMServiceName))
Config_Error_TooLong(File, Line, Var);
return;
}
if (strcasecmp(Var, "PredefChannelsOnly") == 0) { if (strcasecmp(Var, "PredefChannelsOnly") == 0) {
/* /*
* TODO: This section and support for "PredefChannelsOnly" * TODO: This section and support for "PredefChannelsOnly"

View File

@ -203,6 +203,9 @@ GLOBAL bool Conf_PAM;
/** Don't require all clients to send a password an to be PAM authenticated */ /** Don't require all clients to send a password an to be PAM authenticated */
GLOBAL bool Conf_PAMIsOptional; GLOBAL bool Conf_PAMIsOptional;
/** The service name to use for PAM */
GLOBAL char Conf_PAMServiceName[MAX_PAM_SERVICE_NAME_LEN];
/** Disable all CTCP commands except for /me ? */ /** Disable all CTCP commands except for /me ? */
GLOBAL bool Conf_ScrubCTCP; GLOBAL bool Conf_ScrubCTCP;

View File

@ -61,6 +61,9 @@
/** Size of default connection pool. */ /** Size of default connection pool. */
#define CONNECTION_POOL 100 #define CONNECTION_POOL 100
/** Size of buffer for PAM service name. */
#define MAX_PAM_SERVICE_NAME_LEN 64
/* Hard-coded (default) options */ /* Hard-coded (default) options */

View File

@ -32,6 +32,7 @@
#include "log.h" #include "log.h"
#include "conn.h" #include "conn.h"
#include "client.h" #include "client.h"
#include "conf.h"
#include "pam.h" #include "pam.h"
@ -101,7 +102,7 @@ PAM_Authenticate(CLIENT *Client) {
conv.appdata_ptr = Conn_Password(Client_Conn(Client)); conv.appdata_ptr = Conn_Password(Client_Conn(Client));
/* Initialize PAM */ /* Initialize PAM */
retval = pam_start("ngircd", Client_OrigUser(Client), &conv, &pam); retval = pam_start(Conf_PAMServiceName, Client_OrigUser(Client), &conv, &pam);
if (retval != PAM_SUCCESS) { if (retval != PAM_SUCCESS) {
Log(LOG_ERR, "PAM: Failed to create authenticator! (%d)", retval); Log(LOG_ERR, "PAM: Failed to create authenticator! (%d)", retval);
return false; return false;