mirror of
https://github.com/unrealircd/unrealircd.git
synced 2026-07-08 08:43:13 +02:00
Add optional allow::options::reject-on-auth-failure, as requested
by armyn in https://bugs.unrealircd.org/view.php?id=5769. The default behavior in 5.x is to continue matching: allow { ip *@*; class clients; maxperip 2; } allow { ip *@*; password "iwantmore"; class clients; maxperip 10; } This so users who provide a password get additional rights, such as a higher maxperip or a different class, etc. If the user connects without a password then we simply continue to the next block and use the general block with only 2 maxperip. However, some people want to use passwords to keep other users out. That is entirely understandable as it is an 'allow block' after all. For example: allow { ip *@*; class clients; maxperip 2; } allow { ip *@*.nl; password "tehdutch"; class clients; maxperip 2; options { reject-on-auth-failure; } } In this case anyone without the correct password will be rejected access.
This commit is contained in:
@@ -1379,6 +1379,7 @@ struct ConfigFlag_allow {
|
||||
unsigned noident :1;
|
||||
unsigned useip :1;
|
||||
unsigned tls :1;
|
||||
unsigned reject_on_auth_failure :1;
|
||||
};
|
||||
|
||||
struct ConfigItem_allow {
|
||||
|
||||
@@ -5350,6 +5350,8 @@ int _conf_allow(ConfigFile *conf, ConfigEntry *ce)
|
||||
allow->flags.useip = 1;
|
||||
else if (!strcmp(cepp->ce_varname, "ssl") || !strcmp(cepp->ce_varname, "tls"))
|
||||
allow->flags.tls = 1;
|
||||
else if (!strcmp(cepp->ce_varname, "reject-on-auth-failure"))
|
||||
allow->flags.reject_on_auth_failure = 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -5545,6 +5547,8 @@ int _test_allow(ConfigFile *conf, ConfigEntry *ce)
|
||||
{}
|
||||
else if (!strcmp(cepp->ce_varname, "ssl") || !strcmp(cepp->ce_varname, "tls"))
|
||||
{}
|
||||
else if (!strcmp(cepp->ce_varname, "reject-on-auth-failure"))
|
||||
{}
|
||||
else if (!strcmp(cepp->ce_varname, "sasl"))
|
||||
{
|
||||
config_error("%s:%d: The option allow::options::sasl no longer exists. "
|
||||
|
||||
+15
-11
@@ -1316,12 +1316,9 @@ int AllowClient(Client *client, char *username)
|
||||
|
||||
for (aconf = conf_allow; aconf; aconf = aconf->next)
|
||||
{
|
||||
if (!aconf->hostname || !aconf->ip)
|
||||
goto attach;
|
||||
if (aconf->auth && !client->local->passwd && !moddata_client_get(client, "certfp"))
|
||||
continue;
|
||||
if (aconf->flags.tls && !IsSecure(client))
|
||||
continue;
|
||||
|
||||
if (hp && hp->h_name)
|
||||
{
|
||||
hname = hp->h_name;
|
||||
@@ -1376,8 +1373,21 @@ int AllowClient(Client *client, char *username)
|
||||
goto attach;
|
||||
}
|
||||
|
||||
continue;
|
||||
continue; /* No match */
|
||||
attach:
|
||||
/* Check authentication */
|
||||
if (aconf->auth && !Auth_Check(client, aconf->auth, client->local->passwd))
|
||||
{
|
||||
/* Incorrect password/authentication - but was is it required? */
|
||||
if (aconf->flags.reject_on_auth_failure)
|
||||
{
|
||||
exit_client(client, NULL, iConf.reject_message_unauthorized);
|
||||
return 0;
|
||||
} else {
|
||||
continue; /* Continue (this is the default behavior) */
|
||||
}
|
||||
}
|
||||
|
||||
if (!aconf->flags.noident)
|
||||
SetUseIdent(client);
|
||||
if (!aconf->flags.useip && hp)
|
||||
@@ -1393,12 +1403,6 @@ int AllowClient(Client *client, char *username)
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (aconf->auth && !Auth_Check(client, aconf->auth, client->local->passwd))
|
||||
{
|
||||
/* Always continue if password was wrong. */
|
||||
continue;
|
||||
}
|
||||
|
||||
if (!((aconf->class->clients + 1) > aconf->class->maxclients))
|
||||
{
|
||||
client->local->class = aconf->class;
|
||||
|
||||
Reference in New Issue
Block a user