New configuration option "NoPAM" to disable PAM

When the "NoPAM" configuration option is set and ngIRCd is compiled
with support for PAM, ngIRCd will not call any PAM functions: all
connection attemps without password will succeed instead and all
connection attemps with password will fail.

If ngIRCd is compiled without PAM support, this option is a dummy
option and nothing changes: the global server password will still be
in effect.

doc/sample-ngircd.conf

@@ -135,6 +135,9 @@
 	# with support for it.
 	;NoIdent = no
 
+	# Don't use PAM, even if ngIRCd has been compiled with support for it.
+	;NoPAM = no
+
 	# try to connect to other irc servers using ipv4 and ipv6, if possible
 	;ConnectIPv6 = yes
 	;ConnectIPv4 = yes

man/ngircd.conf.5.tmpl

@@ -210,6 +210,12 @@ If ngIRCd is compiled with IDENT support this can be used to disable IDENT
 lookups at run time.
 Default: no.
 .TP
+\fBNoPAM\fR
+If ngIRCd is compiled with PAM support this can be used to disable all calls
+to the PAM library at runtime; all users connecting without password are
+allowed to connect, all passwords given will fail.
+Default: no.
+.TP
 \fBConnectIPv4\fR
 Set this to no if you do not want ngIRCd to connect to other IRC servers using
 IPv4. This allows usage of ngIRCd in IPv6-only setups.

src/ngircd/conf.c

@@ -331,6 +331,7 @@ Conf_Test( void )
 	printf("  PredefChannelsOnly = %s\n", yesno_to_str(Conf_PredefChannelsOnly));
 	printf("  NoDNS = %s\n", yesno_to_str(Conf_NoDNS));
 	printf("  NoIdent = %s\n", yesno_to_str(Conf_NoIdent));
+	printf("  NoPAM = %s\n", yesno_to_str(Conf_NoPAM));
 
 #ifdef WANT_IPV6
 	printf("  ConnectIPv4 = %s\n", yesno_to_str(Conf_ConnectIPv6));
@@ -580,6 +581,7 @@ Set_Defaults(bool InitServers)
 	Conf_ConnectRetry = 60;
 	Conf_NoDNS = false;
 	Conf_NoIdent = false;
+	Conf_NoPAM = false;
 
 	Conf_Oper_Count = 0;
 	Conf_Channel_Count = 0;
@@ -986,6 +988,11 @@ Handle_GLOBAL( int Line, char *Var, char *Arg )
 #endif
 		return;
 	}
+	if(strcasecmp(Var, "NoPAM") == 0) {
+		/* don't use PAM library to authenticate users */
+		Conf_NoPAM = Check_ArgIsTrue(Arg);
+		return;
+	}
 #ifdef WANT_IPV6
 	/* the default setting for all the WANT_IPV6 special options is 'true' */
 	if( strcasecmp( Var, "ConnectIPv6" ) == 0 ) {

src/ngircd/conf.h

@@ -152,6 +152,9 @@ GLOBAL bool Conf_NoDNS;
 /* Disable IDENT lookups, even when compiled with support for it */
 GLOBAL bool Conf_NoIdent;
 
+/* Disable all usage of PAM, even when compiled with support for it */
+GLOBAL bool Conf_NoPAM;
+
 /*
  * try to connect to remote systems using the ipv6 protocol,
  * if they have an ipv6 address? (default yes)

src/ngircd/irc-login.c

@@ -787,7 +787,10 @@ Hello_User(CLIENT * Client)
 		/* Sub process */
 		signal(SIGTERM, Proc_GenericSignalHandler);
 		Log_Init_Subprocess("Auth");
-		result = PAM_Authenticate(Client);
+		if (Conf_NoPAM) {
+			result = (Client_Password(Client)[0] == '\0');
+		} else
+			result = PAM_Authenticate(Client);
 		write(pipefd[1], &result, sizeof(result));
 		Log_Exit_Subprocess("Auth");
 		exit(0);