1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-08 08:43:13 +02:00

Add optional allow::options::reject-on-auth-failure, as requested

by armyn in https://bugs.unrealircd.org/view.php?id=5769.

The default behavior in 5.x is to continue matching:
allow { ip *@*; class clients; maxperip 2; }
allow { ip *@*; password "iwantmore"; class clients; maxperip 10; }
This so users who provide a password get additional rights,
such as a higher maxperip or a different class, etc.
If the user connects without a password then we simply continue
to the next block and use the general block with only 2 maxperip.

However, some people want to use passwords to keep other users out.
That is entirely understandable as it is an 'allow block' after all.
For example:
allow { ip *@*; class clients; maxperip 2; }
allow { ip *@*.nl; password "tehdutch"; class clients; maxperip 2; options { reject-on-auth-failure; } }
In this case anyone without the correct password will be rejected access.
This commit is contained in:
Bram Matthys
2020-10-11 09:10:21 +02:00
parent 00fa88daee
commit 8619d1e763
3 changed files with 20 additions and 11 deletions
+1
View File
@@ -1379,6 +1379,7 @@ struct ConfigFlag_allow {
unsigned noident :1;
unsigned useip :1;
unsigned tls :1;
unsigned reject_on_auth_failure :1;
};
struct ConfigItem_allow {
+4
View File
@@ -5350,6 +5350,8 @@ int _conf_allow(ConfigFile *conf, ConfigEntry *ce)
allow->flags.useip = 1;
else if (!strcmp(cepp->ce_varname, "ssl") || !strcmp(cepp->ce_varname, "tls"))
allow->flags.tls = 1;
else if (!strcmp(cepp->ce_varname, "reject-on-auth-failure"))
allow->flags.reject_on_auth_failure = 1;
}
}
}
@@ -5545,6 +5547,8 @@ int _test_allow(ConfigFile *conf, ConfigEntry *ce)
{}
else if (!strcmp(cepp->ce_varname, "ssl") || !strcmp(cepp->ce_varname, "tls"))
{}
else if (!strcmp(cepp->ce_varname, "reject-on-auth-failure"))
{}
else if (!strcmp(cepp->ce_varname, "sasl"))
{
config_error("%s:%d: The option allow::options::sasl no longer exists. "
+15 -11
View File
@@ -1316,12 +1316,9 @@ int AllowClient(Client *client, char *username)
for (aconf = conf_allow; aconf; aconf = aconf->next)
{
if (!aconf->hostname || !aconf->ip)
goto attach;
if (aconf->auth && !client->local->passwd && !moddata_client_get(client, "certfp"))
continue;
if (aconf->flags.tls && !IsSecure(client))
continue;
if (hp && hp->h_name)
{
hname = hp->h_name;
@@ -1376,8 +1373,21 @@ int AllowClient(Client *client, char *username)
goto attach;
}
continue;
continue; /* No match */
attach:
/* Check authentication */
if (aconf->auth && !Auth_Check(client, aconf->auth, client->local->passwd))
{
/* Incorrect password/authentication - but was is it required? */
if (aconf->flags.reject_on_auth_failure)
{
exit_client(client, NULL, iConf.reject_message_unauthorized);
return 0;
} else {
continue; /* Continue (this is the default behavior) */
}
}
if (!aconf->flags.noident)
SetUseIdent(client);
if (!aconf->flags.useip && hp)
@@ -1393,12 +1403,6 @@ int AllowClient(Client *client, char *username)
return 0;
}
if (aconf->auth && !Auth_Check(client, aconf->auth, client->local->passwd))
{
/* Always continue if password was wrong. */
continue;
}
if (!((aconf->class->clients + 1) > aconf->class->maxclients))
{
client->local->class = aconf->class;