Made on IRCNow

Commit Diff

Commit:: af9161a9bc32817c44fe6f743b402d554e60ddf2
From:: Alexander Barton <alex@barton.de>
Date:: Fri Feb 28 21:26:41 2014 UTC
Message:: Merge pull request #6 from norrs/pam_server_password_fix Validate server password when PAM is disabled.
Actions:: Patch | Tree
commit - abf280d5bd5648817135c487a19941b2ef4b0701
commit + af9161a9bc32817c44fe6f743b402d554e60ddf2
blob - bdbb506fcfcd39e391b6f967078804c10167a65d
blob + 34abbad150573dc9379476273c86dd8b92ab1691
--- src/ngircd/conf.c
+++ src/ngircd/conf.c
@@ -370,9 +370,8 @@ Conf_Test( void )
 		       ? (const char*) array_start(&Conf_Motd) : "");
 	}
 	printf("  Network = %s\n", Conf_Network);
-#ifndef PAM
-	printf("  Password = %s\n", Conf_ServerPwd);
-#endif
+	if (!Conf_PAM) 
+		printf("  Password = %s\n", Conf_ServerPwd);
 	printf("  PidFile = %s\n", Conf_PidFile);
 	printf("  Ports = ");
 	ports_puts(&Conf_ListenPorts);
@@ -2259,7 +2258,7 @@ Validate_Config(bool Configtest, bool Rehash)
 	}
 
 #ifdef PAM
-	if (Conf_ServerPwd[0])
+	if (Conf_PAM && Conf_ServerPwd[0])
 		Config_Error(LOG_ERR,
 			     "This server uses PAM, \"Password\" in [Global] section will be ignored!");
 #endif
blob - 4011b8bcadd3216672b2ddfeb67a254eb3dff463
blob + 23c3b6848d94e540bc71f7a38ab504ff6bbb9ca8
--- src/ngircd/login.c
+++ src/ngircd/login.c
@@ -91,13 +91,12 @@ Login_User(CLIENT * Client)
 
 #ifdef PAM
 	if (!Conf_PAM) {
-		/* Don't do any PAM authentication at all, instead emulate
-		 * the behavior of the daemon compiled without PAM support:
-		 * because there can't be any "server password", all
-		 * passwords supplied are classified as "wrong". */
-		if(Conn_Password(conn)[0] == '\0')
+		/* Don't do any PAM authentication at all if PAM is not
+		 * enabled, instead emulate the behavior of the daemon
+		 * compiled without PAM support. */
+		if (strcmp(Conn_Password(conn), Conf_ServerPwd) == 0) 
 			return Login_User_PostAuth(Client);
-		Client_Reject(Client, "Non-empty password", false);
+		Client_Reject(Client, "Bad server password", false);
 		return DISCONNECTED;
 	}
 
@@ -111,25 +110,27 @@ Login_User(CLIENT * Client)
 		return Login_User_PostAuth(Client);
 	}
 
-	/* Fork child process for PAM authentication; and make sure that the
-	 * process timeout is set higher than the login timeout! */
-	pid = Proc_Fork(Conn_GetProcStat(conn), pipefd,
-			cb_Read_Auth_Result, Conf_PongTimeout + 1);
-	if (pid > 0) {
-		LogDebug("Authenticator for connection %d created (PID %d).",
-			 conn, pid);
-		return CONNECTED;
-	} else {
-		/* Sub process */
-		Log_Init_Subprocess("Auth");
-		Conn_CloseAllSockets(NONE);
-		result = PAM_Authenticate(Client);
-		if (write(pipefd[1], &result, sizeof(result)) != sizeof(result))
-			Log_Subprocess(LOG_ERR,
-				       "Failed to pipe result to parent!");
-		Log_Exit_Subprocess("Auth");
-		exit(0);
-	}
+	if (Conf_PAM) {
+		/* Fork child process for PAM authentication; and make sure that the
+		 * process timeout is set higher than the login timeout! */
+		pid = Proc_Fork(Conn_GetProcStat(conn), pipefd,
+				cb_Read_Auth_Result, Conf_PongTimeout + 1);
+		if (pid > 0) {
+			LogDebug("Authenticator for connection %d created (PID %d).",
+				 conn, pid);
+			return CONNECTED;
+		} else {
+			/* Sub process */
+			Log_Init_Subprocess("Auth");
+			Conn_CloseAllSockets(NONE);
+			result = PAM_Authenticate(Client);
+			if (write(pipefd[1], &result, sizeof(result)) != sizeof(result))
+				Log_Subprocess(LOG_ERR,
+					       "Failed to pipe result to parent!");
+			Log_Exit_Subprocess("Auth");
+			exit(0);
+		}
+	} else return CONNECTED;
 #else
 	/* Check global server password ... */
 	if (strcmp(Conn_Password(conn), Conf_ServerPwd) != 0) {