NAME¶
iauth.conf - The Internet Relay Chat Authentication Configuration File
DESCRIPTION¶
The
iauth.conf file is read by the
iauth program upon startup, it
contains the list of modules that should be used to authenticate a particular
connection. The list is ordered, which means that the first module to
successfully authenticate a connection will be the last to be tried.
The file is divided in sections, the first section is used for iauth options,
each subsequent section specifies a module with eventual options using the
following format:
module module-name
[TAB]option = string
[TAB]host = host-name
[TAB]ip = ip-address
[TAB]timeout = value
[TAB]port = value
[TAB]reason = string
The section ends with an empty line. The
module-name defines which module
the section applies to. A particular module may be used in several sections.
An option
string of undefined format may be specified, it will then be
passed to the module upon initialization, see the MODULES section to find out
if a module accepts any option.
If
host-name and
ip-address fields are specified, then the module
will only be used for connections matching one of the fields given in the
configuration. An entry prefixed with the character ! indicates a negative
match. IP addresses are checked first.
Port is mandatory for socks and webproxy modules and not used in others. It
tells module what port it should connect to to do its work.
If no host nor ip entry is specified, then the module will always be used.
Reason is text to send to clients rejected by given module.
When writing a configuration file, one should
always verify the syntax
using the
iauth program to avoid later problems.
IAUTH OPTIONS¶
- timeout = <seconds>
- This allows one to specify how much time each module has to complete its
work for each connection. This option can also be specified individually
for each module. The default is 30 seconds.
- required
- By specifying this keyword, the IRC server is told not to accept new user
connections unless the authentication is handled by iauth. This
does NOT mean that the server will wait forever to get the data from
iauth, see the notimeout option.
- notimeout
- By specifying this keyword, the IRC server is told not to accept a user
connection if iauth hasn't finished its work in time. Note that
modules specified after delayed keyword are not considered.
- extinfo
- This keyword allows extra information (user supplied username, and
eventually password) to be received by iauth from the server. This
is only useful if a module using this information is loaded.
- delayed
- All modules below this keyword will run in "delayed" execution
mode. This means that ircd gets (fake) message that iauth is done with
this client so that it allows it. Modules however do work as usual and
upon deciding that this client should be removed, message is sent to ircd
and client removed.
- shared <name> <mod_name.so>
- If iauth was compiled with Dynamically Shared Module support, it can be
told to dynamically load a module using this option. The module can then
be loaded.
MODULES¶
- pipe
- This module is provided as a replacement to the (now obsolete) R
configuration lines supported by the IRC daemon. It runs an external
program with the client IP and port as arguments. The program should
output either 'Y' (Yes, let the client in), or 'N' (No, don't let them
in).
Note that this module is quite expensive as it forks a separate process for
each connection received by the IRC daemon.
This module requires the following option:
prog=/path/to/external/program
- socks
- This module performs a basic check to verify that the host where the
connection originated from doesn't run a SOCKS v4 or v5 proxy server on a
given in configuration port that is open to the world. It is useful to
reject abusive clients using a relay to evade kill lines and bans.
Multiple instances (with different ports) are allowed.
This module understands ten options: reject to reject connections
originating from a host where an open proxy was detected, log to
log hostnames where an open proxy is detected. protocol to log
protocol errors paranoid to consider proxies which deny the request
because of a userid/ident mismatch to be OPEN proxies. megaparanoid
which is paranoid plus it considers all proxies not explicitly stating
they are closed to be OPEN proxies -- that includes all protocol errors,
unexpected results etc. cache[=value] to set the cache lifetime in
minutes. By default, caching is enabled for 30 minutes. A value of 0
disables caching. careful to make sure socks v5 is properly
configured with IP rulesets. Without this parameter, module will not send
additional query and assume first positive answer as valid. v4only
to check only socks v4. v5only to check only socks v5.
- rfc931
- This module is for authentication TCP connections using the protocol
defined in RFC 1413 (which obsoletes RFC 931). It is always loaded, and
does not recognize the host nor ip fields.
- lhex
- This module acts as a proxy, communicating with a LHEx server to perform
authentication of client connections. It takes a single (mandatory)
option, which is the IP-address of the LHEx server to use.
- webproxy
- This module performs a basic HTTP CONNECT to verify that the host where
the connection originated from doesn't run an open WWW proxy. It is useful
to reject abusive clients using a relay to evade kill lines and bans.
Multiple instances (with different ports) are allowed.
This module understands five options: reject to reject connections
originating from a host where an open proxy was detected. log to
log hostnames where an open proxy is detected. cache[=value] to set
the cache lifetime in minutes. By default, caching is enabled for 30
minutes. A value of 0 disables caching. careful to make sure that
we connected to our own ircd; without this parameter, module will accept
any "HTTP/1.? 200" with an exception of servers sending
"Date:" header along (which is common with some Apache+PHP
configurations).
EXAMPLE¶
The following file will cause the IRC daemon to reject all connections
originating from a system where an open proxy is running for hosts within *.fr
and *.enserb.u-bordeaux.fr but not for other hosts matching *.u-bordeaux.fr.
For all connections, an ident lookup (RFC 1413) will be performed as well as
checking for WWW proxy on port 8080 and 3128. In addition, every connection is
authenticated with the LHEx server at IP-address 127.0.0.1. Client will be let
in after ident and lhex are done but if socks or webproxy finds an open proxy,
client will be removed asap.
module rfc931
module lhex
option = 127.0.0.1
delayed
module socks
option = reject,paranoid
host = *.enserb.u-bordeaux.fr
host = !*.u-bordeaux.fr
host = *.fr
port = 1080
module webproxy
option = reject
port = 8080
module webproxy
option = reject,careful
port = 3128
CAVEATS¶
When the option
extinfo is set, connections registering as a server or a
service with the IRC server are not guaranteed to receive the "user"
authentication provided by modules (such as the rfc931 module).
COPYRIGHT¶
(c) 1998,1999 Christophe Kalt
For full COPYRIGHT see LICENSE file with IRC package.
FILES¶
"iauth.conf"
SEE ALSO¶
iauth(8)
AUTHOR¶
Christophe Kalt.