New configuration option "NoPAM" to disable PAM

When the "NoPAM" configuration option is set and ngIRCd is compiled
with support for PAM, ngIRCd will not call any PAM functions: all
connection attemps without password will succeed instead and all
connection attemps with password will fail.

If ngIRCd is compiled without PAM support, this option is a dummy
option and nothing changes: the global server password will still be
in effect.

diff --git a/doc/sample-ngircd.conf b/doc/sample-ngircd.conf
index daa0801211af2d60088520b9410fef1abf0483a8..645d1b8afbc525fef0d689f9c36b801bff67db5f 100644 (file)
--- a/doc/sample-ngircd.conf
+++ b/doc/sample-ngircd.conf
@@ -135,6 +135,9 @@
        # with support for it.
        ;NoIdent = no
 
+       # Don't use PAM, even if ngIRCd has been compiled with support for it.
+       ;NoPAM = no
+
        # try to connect to other irc servers using ipv4 and ipv6, if possible
        ;ConnectIPv6 = yes
        ;ConnectIPv4 = yes

diff --git a/man/ngircd.conf.5.tmpl b/man/ngircd.conf.5.tmpl
index 46e0308a3f3e9fce27cd18f652dc0b2a1606648f..ad888713ee7d0ee310404b15c02211ff7bd6c20a 100644 (file)
--- a/man/ngircd.conf.5.tmpl
+++ b/man/ngircd.conf.5.tmpl
@@ -210,6 +210,12 @@ If ngIRCd is compiled with IDENT support this can be used to disable IDENT
 lookups at run time.
 Default: no.
 .TP
+\fBNoPAM\fR
+If ngIRCd is compiled with PAM support this can be used to disable all calls
+to the PAM library at runtime; all users connecting without password are
+allowed to connect, all passwords given will fail.
+Default: no.
+.TP
 \fBConnectIPv4\fR
 Set this to no if you do not want ngIRCd to connect to other IRC servers using
 IPv4. This allows usage of ngIRCd in IPv6-only setups.

diff --git a/src/ngircd/conf.c b/src/ngircd/conf.c
index f78eaee64d985f01aa294e9cdf7ce6fd56401aa0..834a1da330e989300993d5377bf6c8b726119ce5 100644 (file)
--- a/src/ngircd/conf.c
+++ b/src/ngircd/conf.c
@@ -331,6 +331,7 @@ Conf_Test( void )
        printf("  PredefChannelsOnly = %s\n", yesno_to_str(Conf_PredefChannelsOnly));
        printf("  NoDNS = %s\n", yesno_to_str(Conf_NoDNS));
        printf("  NoIdent = %s\n", yesno_to_str(Conf_NoIdent));
+       printf("  NoPAM = %s\n", yesno_to_str(Conf_NoPAM));
 
 #ifdef WANT_IPV6
        printf("  ConnectIPv4 = %s\n", yesno_to_str(Conf_ConnectIPv6));
@@ -580,6 +581,7 @@ Set_Defaults(bool InitServers)
        Conf_ConnectRetry = 60;
        Conf_NoDNS = false;
        Conf_NoIdent = false;
+       Conf_NoPAM = false;
 
        Conf_Oper_Count = 0;
        Conf_Channel_Count = 0;
@@ -986,6 +988,11 @@ Handle_GLOBAL( int Line, char *Var, char *Arg )
 #endif
                return;
        }
+       if(strcasecmp(Var, "NoPAM") == 0) {
+               /* don't use PAM library to authenticate users */
+               Conf_NoPAM = Check_ArgIsTrue(Arg);
+               return;
+       }
 #ifdef WANT_IPV6
        /* the default setting for all the WANT_IPV6 special options is 'true' */
        if( strcasecmp( Var, "ConnectIPv6" ) == 0 ) {

diff --git a/src/ngircd/conf.h b/src/ngircd/conf.h
index 8e397fafcf437b9531b8e2d70294a018bf39ae16..74abc1d95010d889ba626f76c836abcc8fc7db14 100644 (file)
--- a/src/ngircd/conf.h
+++ b/src/ngircd/conf.h
@@ -152,6 +152,9 @@ GLOBAL bool Conf_NoDNS;
 /* Disable IDENT lookups, even when compiled with support for it */
 GLOBAL bool Conf_NoIdent;
 
+/* Disable all usage of PAM, even when compiled with support for it */
+GLOBAL bool Conf_NoPAM;
+
 /*
  * try to connect to remote systems using the ipv6 protocol,
  * if they have an ipv6 address? (default yes)

diff --git a/src/ngircd/irc-login.c b/src/ngircd/irc-login.c
index 10e2df82614469bf7ed58116c6f5c00ea1133418..078954024a887bf1495ee8a0672e01530c93359f 100644 (file)
--- a/src/ngircd/irc-login.c
+++ b/src/ngircd/irc-login.c
@@ -787,7 +787,10 @@ Hello_User(CLIENT * Client)
                /* Sub process */
                signal(SIGTERM, Proc_GenericSignalHandler);
                Log_Init_Subprocess("Auth");
-               result = PAM_Authenticate(Client);
+               if (Conf_NoPAM) {
+                       result = (Client_Password(Client)[0] == '\0');
+               } else
+                       result = PAM_Authenticate(Client);
                write(pipefd[1], &result, sizeof(result));
                Log_Exit_Subprocess("Auth");
                exit(0);