;DNS = yes
# Do IDENT lookups if ngIRCd has been compiled with support for it.
+ # Users identified using IDENT are registered without the "~" character
+ # prepended to their user name.
;Ident = yes
# Enhance user privacy slightly (useful for IRC server on TOR or I2P)
;OperServerMode = no
# Use PAM if ngIRCd has been compiled with support for it.
+ # Users identified using PAM are registered without the "~" character
+ # prepended to their user name.
;PAM = yes
+ # When PAM is enabled, all clients are required to be authenticated
+ # using PAM; connecting to the server without successful PAM
+ # authentication isn't possible.
+ # If this option is set, clients not sending a password are still
+ # allowed to connect: they won't become "identified" and keep the "~"
+ # character prepended to their supplied user name.
+ # Please note: To make some use of this behavior, it most probably
+ # isn't useful to enable "Ident", "PAM" and "PAMIsOptional" at the
+ # same time, because you wouldn't be able to distinguish between
+ # Ident'ified and PAM-authenticated users: both don't have a "~"
+ # character prepended to their respective user names!
+ ;PAMIsOptional = no
+
# Allow Pre-Defined Channels only (see Section [Channels])
;PredefChannelsOnly = no
\fBIdent\fR (boolean)
If ngIRCd is compiled with IDENT support this can be used to disable IDENT
lookups at run time.
+Users identified using IDENT are registered without the "~" character
+prepended to their user name.
Default: yes.
.TP
\fBMorePrivacy\fR (boolean)
If ngIRCd is compiled with PAM support this can be used to disable all calls
to the PAM library at runtime; all users connecting without password are
allowed to connect, all passwords given will fail.
+Users identified using PAM are registered without the "~" character
+prepended to their user name.
Default: yes.
.TP
+\fBPAMIsOptional\fR (boolean)
+When PAM is enabled, all clients are required to be authenticated using PAM;
+connecting to the server without successful PAM authentication isn't possible.
+If this option is set, clients not sending a password are still allowed to
+connect: they won't become "identified" and keep the "~" character prepended
+to their supplied user name.
+Please note:
+To make some use of this behavior, it most probably isn't useful to enable
+"Ident", "PAM" and "PAMIsOptional" at the same time, because you wouldn't be
+able to distinguish between Ident'ified and PAM-authenticated users: both
+don't have a "~" character prepended to their respective user names!
+Default: no.
+.TP
\fBPredefChannelsOnly\fR (boolean)
If enabled, no new channels can be created. Useful if you do not want to have
other channels than those defined in [Channel] sections in the configuration
printf(" OperServerMode = %s\n", yesno_to_str(Conf_OperServerMode));
#ifdef PAM
printf(" PAM = %s\n", yesno_to_str(Conf_PAM));
+ printf(" PAMIsOptional = %s\n", yesno_to_str(Conf_PAMIsOptional));
#endif
printf(" PredefChannelsOnly = %s\n", yesno_to_str(Conf_PredefChannelsOnly));
#ifndef STRICT_RFC
#else
Conf_PAM = false;
#endif
+ Conf_PAMIsOptional = false;
Conf_PredefChannelsOnly = false;
#ifdef SYSLOG
Conf_ScrubCTCP = false;
WarnPAM(Line);
return;
}
+ if (strcasecmp(Var, "PAMIsOptional") == 0 ) {
+ Conf_PAMIsOptional = Check_ArgIsTrue(Arg);
+ return;
+ }
if (strcasecmp(Var, "PredefChannelsOnly") == 0) {
Conf_PredefChannelsOnly = Check_ArgIsTrue(Arg);
return;
/** Enable all usage of PAM, even when compiled with support for it */
GLOBAL bool Conf_PAM;
+/** Don't require all clients to send a password an to be PAM authenticated */
+GLOBAL bool Conf_PAMIsOptional;
+
/** Disable all CTCP commands except for /me ? */
GLOBAL bool Conf_ScrubCTCP;
return DISCONNECTED;
}
+ if (Conf_PAMIsOptional && strcmp(Client_Password(Client), "") == 0) {
+ /* Clients are not required to send a password and to be PAM-
+ * authenticated at all. If not, they won't become "identified"
+ * and keep the "~" in their supplied user name.
+ * Therefore it is sensible to either set Conf_PAMisOptional or
+ * to enable IDENT lookups -- not both. */
+ return Hello_User_PostAuth(Client);
+ }
+
/* Fork child process for PAM authentication; and make sure that the
* process timeout is set higher than the login timeout! */
pid = Proc_Fork(Conn_GetProcStat(conn), pipefd,
projects / ngircd / commitdiff