diff --git a/include/struct.h b/include/struct.h index 101acfdd4..c9a0f8374 100644 --- a/include/struct.h +++ b/include/struct.h @@ -1379,6 +1379,7 @@ struct ConfigFlag_allow { unsigned noident :1; unsigned useip :1; unsigned tls :1; + unsigned reject_on_auth_failure :1; }; struct ConfigItem_allow { diff --git a/src/conf.c b/src/conf.c index 2b7e59398..4eb051f41 100644 --- a/src/conf.c +++ b/src/conf.c @@ -5350,6 +5350,8 @@ int _conf_allow(ConfigFile *conf, ConfigEntry *ce) allow->flags.useip = 1; else if (!strcmp(cepp->ce_varname, "ssl") || !strcmp(cepp->ce_varname, "tls")) allow->flags.tls = 1; + else if (!strcmp(cepp->ce_varname, "reject-on-auth-failure")) + allow->flags.reject_on_auth_failure = 1; } } } @@ -5545,6 +5547,8 @@ int _test_allow(ConfigFile *conf, ConfigEntry *ce) {} else if (!strcmp(cepp->ce_varname, "ssl") || !strcmp(cepp->ce_varname, "tls")) {} + else if (!strcmp(cepp->ce_varname, "reject-on-auth-failure")) + {} else if (!strcmp(cepp->ce_varname, "sasl")) { config_error("%s:%d: The option allow::options::sasl no longer exists. " diff --git a/src/modules/nick.c b/src/modules/nick.c index a39c49ca5..2feaf1bf9 100644 --- a/src/modules/nick.c +++ b/src/modules/nick.c @@ -1316,12 +1316,9 @@ int AllowClient(Client *client, char *username) for (aconf = conf_allow; aconf; aconf = aconf->next) { - if (!aconf->hostname || !aconf->ip) - goto attach; - if (aconf->auth && !client->local->passwd && !moddata_client_get(client, "certfp")) - continue; if (aconf->flags.tls && !IsSecure(client)) continue; + if (hp && hp->h_name) { hname = hp->h_name; @@ -1376,8 +1373,21 @@ int AllowClient(Client *client, char *username) goto attach; } - continue; + continue; /* No match */ attach: + /* Check authentication */ + if (aconf->auth && !Auth_Check(client, aconf->auth, client->local->passwd)) + { + /* Incorrect password/authentication - but was is it required? */ + if (aconf->flags.reject_on_auth_failure) + { + exit_client(client, NULL, iConf.reject_message_unauthorized); + return 0; + } else { + continue; /* Continue (this is the default behavior) */ + } + } + if (!aconf->flags.noident) SetUseIdent(client); if (!aconf->flags.useip && hp) @@ -1393,12 +1403,6 @@ int AllowClient(Client *client, char *username) return 0; } - if (aconf->auth && !Auth_Check(client, aconf->auth, client->local->passwd)) - { - /* Always continue if password was wrong. */ - continue; - } - if (!((aconf->class->clients + 1) > aconf->class->maxclients)) { client->local->class = aconf->class;