commit f369177617a0f54e34a1af6fa44d1d1e3f953aeb
from: Alexander Barton <alex@barton.de>
date: Tue Jul 13 14:47:01 2010 UTC

New configuration option "NoPAM" to disable PAM

When the "NoPAM" configuration option is set and ngIRCd is compiled
with support for PAM, ngIRCd will not call any PAM functions: all
connection attemps without password will succeed instead and all
connection attemps with password will fail.

If ngIRCd is compiled without PAM support, this option is a dummy
option and nothing changes: the global server password will still be
in effect.

commit - 37ee0a331394d990e514a1a7b2b52ecb879b9701
commit + f369177617a0f54e34a1af6fa44d1d1e3f953aeb
blob - daa0801211af2d60088520b9410fef1abf0483a8
blob + 645d1b8afbc525fef0d689f9c36b801bff67db5f
--- doc/sample-ngircd.conf
+++ doc/sample-ngircd.conf
@@ -135,6 +135,9 @@
 	# with support for it.
 	;NoIdent = no
 
+	# Don't use PAM, even if ngIRCd has been compiled with support for it.
+	;NoPAM = no
+
 	# try to connect to other irc servers using ipv4 and ipv6, if possible
 	;ConnectIPv6 = yes
 	;ConnectIPv4 = yes
blob - 46e0308a3f3e9fce27cd18f652dc0b2a1606648f
blob + ad888713ee7d0ee310404b15c02211ff7bd6c20a
--- man/ngircd.conf.5.tmpl
+++ man/ngircd.conf.5.tmpl
@@ -208,6 +208,12 @@ Default: no.
 \fBNoIdent\fR
 If ngIRCd is compiled with IDENT support this can be used to disable IDENT
 lookups at run time.
+Default: no.
+.TP
+\fBNoPAM\fR
+If ngIRCd is compiled with PAM support this can be used to disable all calls
+to the PAM library at runtime; all users connecting without password are
+allowed to connect, all passwords given will fail.
 Default: no.
 .TP
 \fBConnectIPv4\fR
blob - f78eaee64d985f01aa294e9cdf7ce6fd56401aa0
blob + 834a1da330e989300993d5377bf6c8b726119ce5
--- src/ngircd/conf.c
+++ src/ngircd/conf.c
@@ -331,6 +331,7 @@ Conf_Test( void )
 	printf("  PredefChannelsOnly = %s\n", yesno_to_str(Conf_PredefChannelsOnly));
 	printf("  NoDNS = %s\n", yesno_to_str(Conf_NoDNS));
 	printf("  NoIdent = %s\n", yesno_to_str(Conf_NoIdent));
+	printf("  NoPAM = %s\n", yesno_to_str(Conf_NoPAM));
 
 #ifdef WANT_IPV6
 	printf("  ConnectIPv4 = %s\n", yesno_to_str(Conf_ConnectIPv6));
@@ -580,6 +581,7 @@ Set_Defaults(bool InitServers)
 	Conf_ConnectRetry = 60;
 	Conf_NoDNS = false;
 	Conf_NoIdent = false;
+	Conf_NoPAM = false;
 
 	Conf_Oper_Count = 0;
 	Conf_Channel_Count = 0;
@@ -986,6 +988,11 @@ Handle_GLOBAL( int Line, char *Var, char *Arg )
 #endif
 		return;
 	}
+	if(strcasecmp(Var, "NoPAM") == 0) {
+		/* don't use PAM library to authenticate users */
+		Conf_NoPAM = Check_ArgIsTrue(Arg);
+		return;
+	}
 #ifdef WANT_IPV6
 	/* the default setting for all the WANT_IPV6 special options is 'true' */
 	if( strcasecmp( Var, "ConnectIPv6" ) == 0 ) {
blob - 8e397fafcf437b9531b8e2d70294a018bf39ae16
blob + 74abc1d95010d889ba626f76c836abcc8fc7db14
--- src/ngircd/conf.h
+++ src/ngircd/conf.h
@@ -152,6 +152,9 @@ GLOBAL bool Conf_NoDNS;
 /* Disable IDENT lookups, even when compiled with support for it */
 GLOBAL bool Conf_NoIdent;
 
+/* Disable all usage of PAM, even when compiled with support for it */
+GLOBAL bool Conf_NoPAM;
+
 /*
  * try to connect to remote systems using the ipv6 protocol,
  * if they have an ipv6 address? (default yes)
blob - 10e2df82614469bf7ed58116c6f5c00ea1133418
blob + 078954024a887bf1495ee8a0672e01530c93359f
--- src/ngircd/irc-login.c
+++ src/ngircd/irc-login.c
@@ -787,7 +787,10 @@ Hello_User(CLIENT * Client)
 		/* Sub process */
 		signal(SIGTERM, Proc_GenericSignalHandler);
 		Log_Init_Subprocess("Auth");
-		result = PAM_Authenticate(Client);
+		if (Conf_NoPAM) {
+			result = (Client_Password(Client)[0] == '\0');
+		} else
+			result = PAM_Authenticate(Client);
 		write(pipefd[1], &result, sizeof(result));
 		Log_Exit_Subprocess("Auth");
 		exit(0);