ngircd

Free, portable and lightweight Internet Relay Chat server http://ngircd.barton.de/
Log | Files | Refs | README | LICENSE

commit af9161a9bc32817c44fe6f743b402d554e60ddf2
parent abf280d5bd5648817135c487a19941b2ef4b0701
Author: Alexander Barton <alex@barton.de>
Date:   Fri, 28 Feb 2014 22:26:41 +0100

Merge pull request #6 from norrs/pam_server_password_fix

Validate server password when PAM is disabled.
Diffstat:
Msrc/ngircd/conf.c | 7+++----
Msrc/ngircd/login.c | 51++++++++++++++++++++++++++-------------------------
2 files changed, 29 insertions(+), 29 deletions(-)

diff --git a/src/ngircd/conf.c b/src/ngircd/conf.c @@ -370,9 +370,8 @@ Conf_Test( void ) ? (const char*) array_start(&Conf_Motd) : ""); } printf(" Network = %s\n", Conf_Network); -#ifndef PAM - printf(" Password = %s\n", Conf_ServerPwd); -#endif + if (!Conf_PAM) + printf(" Password = %s\n", Conf_ServerPwd); printf(" PidFile = %s\n", Conf_PidFile); printf(" Ports = "); ports_puts(&Conf_ListenPorts); @@ -2259,7 +2258,7 @@ Validate_Config(bool Configtest, bool Rehash) } #ifdef PAM - if (Conf_ServerPwd[0]) + if (Conf_PAM && Conf_ServerPwd[0]) Config_Error(LOG_ERR, "This server uses PAM, \"Password\" in [Global] section will be ignored!"); #endif diff --git a/src/ngircd/login.c b/src/ngircd/login.c @@ -91,13 +91,12 @@ Login_User(CLIENT * Client) #ifdef PAM if (!Conf_PAM) { - /* Don't do any PAM authentication at all, instead emulate - * the behavior of the daemon compiled without PAM support: - * because there can't be any "server password", all - * passwords supplied are classified as "wrong". */ - if(Conn_Password(conn)[0] == '\0') + /* Don't do any PAM authentication at all if PAM is not + * enabled, instead emulate the behavior of the daemon + * compiled without PAM support. */ + if (strcmp(Conn_Password(conn), Conf_ServerPwd) == 0) return Login_User_PostAuth(Client); - Client_Reject(Client, "Non-empty password", false); + Client_Reject(Client, "Bad server password", false); return DISCONNECTED; } @@ -111,25 +110,27 @@ Login_User(CLIENT * Client) return Login_User_PostAuth(Client); } - /* Fork child process for PAM authentication; and make sure that the - * process timeout is set higher than the login timeout! */ - pid = Proc_Fork(Conn_GetProcStat(conn), pipefd, - cb_Read_Auth_Result, Conf_PongTimeout + 1); - if (pid > 0) { - LogDebug("Authenticator for connection %d created (PID %d).", - conn, pid); - return CONNECTED; - } else { - /* Sub process */ - Log_Init_Subprocess("Auth"); - Conn_CloseAllSockets(NONE); - result = PAM_Authenticate(Client); - if (write(pipefd[1], &result, sizeof(result)) != sizeof(result)) - Log_Subprocess(LOG_ERR, - "Failed to pipe result to parent!"); - Log_Exit_Subprocess("Auth"); - exit(0); - } + if (Conf_PAM) { + /* Fork child process for PAM authentication; and make sure that the + * process timeout is set higher than the login timeout! */ + pid = Proc_Fork(Conn_GetProcStat(conn), pipefd, + cb_Read_Auth_Result, Conf_PongTimeout + 1); + if (pid > 0) { + LogDebug("Authenticator for connection %d created (PID %d).", + conn, pid); + return CONNECTED; + } else { + /* Sub process */ + Log_Init_Subprocess("Auth"); + Conn_CloseAllSockets(NONE); + result = PAM_Authenticate(Client); + if (write(pipefd[1], &result, sizeof(result)) != sizeof(result)) + Log_Subprocess(LOG_ERR, + "Failed to pipe result to parent!"); + Log_Exit_Subprocess("Auth"); + exit(0); + } + } else return CONNECTED; #else /* Check global server password ... */ if (strcmp(Conn_Password(conn), Conf_ServerPwd) != 0) {