Module: ngircd.git Branch: master Commit: f369177617a0f54e34a1af6fa44d1d1e3f953aeb URL: http://ngircd.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git&a=commit;h=f36917761... Author: Alexander Barton <alex@barton.de> Date: Tue Jul 13 15:10:35 2010 +0200 New configuration option "NoPAM" to disable PAM When the "NoPAM" configuration option is set and ngIRCd is compiled with support for PAM, ngIRCd will not call any PAM functions: all connection attemps without password will succeed instead and all connection attemps with password will fail. If ngIRCd is compiled without PAM support, this option is a dummy option and nothing changes: the global server password will still be in effect. --- doc/sample-ngircd.conf | 3 +++ man/ngircd.conf.5.tmpl | 6 ++++++ src/ngircd/conf.c | 7 +++++++ src/ngircd/conf.h | 3 +++ src/ngircd/irc-login.c | 5 ++++- 5 files changed, 23 insertions(+), 1 deletions(-) diff --git a/doc/sample-ngircd.conf b/doc/sample-ngircd.conf index daa0801..645d1b8 100644 --- a/doc/sample-ngircd.conf +++ b/doc/sample-ngircd.conf @@ -135,6 +135,9 @@ # with support for it. ;NoIdent = no + # Don't use PAM, even if ngIRCd has been compiled with support for it. + ;NoPAM = no + # try to connect to other irc servers using ipv4 and ipv6, if possible ;ConnectIPv6 = yes ;ConnectIPv4 = yes diff --git a/man/ngircd.conf.5.tmpl b/man/ngircd.conf.5.tmpl index 46e0308..ad88871 100644 --- a/man/ngircd.conf.5.tmpl +++ b/man/ngircd.conf.5.tmpl @@ -210,6 +210,12 @@ If ngIRCd is compiled with IDENT support this can be used to disable IDENT lookups at run time. Default: no. .TP +\fBNoPAM\fR +If ngIRCd is compiled with PAM support this can be used to disable all calls +to the PAM library at runtime; all users connecting without password are +allowed to connect, all passwords given will fail. +Default: no. +.TP \fBConnectIPv4\fR Set this to no if you do not want ngIRCd to connect to other IRC servers using IPv4. This allows usage of ngIRCd in IPv6-only setups. diff --git a/src/ngircd/conf.c b/src/ngircd/conf.c index f78eaee..834a1da 100644 --- a/src/ngircd/conf.c +++ b/src/ngircd/conf.c @@ -331,6 +331,7 @@ Conf_Test( void ) printf(" PredefChannelsOnly = %s\n", yesno_to_str(Conf_PredefChannelsOnly)); printf(" NoDNS = %s\n", yesno_to_str(Conf_NoDNS)); printf(" NoIdent = %s\n", yesno_to_str(Conf_NoIdent)); + printf(" NoPAM = %s\n", yesno_to_str(Conf_NoPAM)); #ifdef WANT_IPV6 printf(" ConnectIPv4 = %s\n", yesno_to_str(Conf_ConnectIPv6)); @@ -580,6 +581,7 @@ Set_Defaults(bool InitServers) Conf_ConnectRetry = 60; Conf_NoDNS = false; Conf_NoIdent = false; + Conf_NoPAM = false; Conf_Oper_Count = 0; Conf_Channel_Count = 0; @@ -986,6 +988,11 @@ Handle_GLOBAL( int Line, char *Var, char *Arg ) #endif return; } + if(strcasecmp(Var, "NoPAM") == 0) { + /* don't use PAM library to authenticate users */ + Conf_NoPAM = Check_ArgIsTrue(Arg); + return; + } #ifdef WANT_IPV6 /* the default setting for all the WANT_IPV6 special options is 'true' */ if( strcasecmp( Var, "ConnectIPv6" ) == 0 ) { diff --git a/src/ngircd/conf.h b/src/ngircd/conf.h index 8e397fa..74abc1d 100644 --- a/src/ngircd/conf.h +++ b/src/ngircd/conf.h @@ -152,6 +152,9 @@ GLOBAL bool Conf_NoDNS; /* Disable IDENT lookups, even when compiled with support for it */ GLOBAL bool Conf_NoIdent; +/* Disable all usage of PAM, even when compiled with support for it */ +GLOBAL bool Conf_NoPAM; + /* * try to connect to remote systems using the ipv6 protocol, * if they have an ipv6 address? (default yes) diff --git a/src/ngircd/irc-login.c b/src/ngircd/irc-login.c index 10e2df8..0789540 100644 --- a/src/ngircd/irc-login.c +++ b/src/ngircd/irc-login.c @@ -787,7 +787,10 @@ Hello_User(CLIENT * Client) /* Sub process */ signal(SIGTERM, Proc_GenericSignalHandler); Log_Init_Subprocess("Auth"); - result = PAM_Authenticate(Client); + if (Conf_NoPAM) { + result = (Client_Password(Client)[0] == '\0'); + } else + result = PAM_Authenticate(Client); write(pipefd[1], &result, sizeof(result)); Log_Exit_Subprocess("Auth"); exit(0);