bionic (5) iauth.conf.5.gz

Provided by: ircd-irc2_2.11.2p3~dfsg-5_amd64 bug

NAME

       iauth.conf - The Internet Relay Chat Authentication Configuration File

DESCRIPTION

       The  iauth.conf  file  is  read  by  the iauth program upon startup, it contains the list of modules that
       should be used to authenticate a particular connection.  The list is ordered, which means that the  first
       module to successfully authenticate a connection will be the last to be tried.

       The  file  is  divided  in sections, the first section is used for iauth options, each subsequent section
       specifies a module with eventual options using the following format:

              module module-name
              [TAB]option = string
              [TAB]host = host-name
              [TAB]ip = ip-address
              [TAB]timeout = value
              [TAB]port = value
              [TAB]reason = string

       The section ends with an empty line.  The module-name defines which module the  section  applies  to.   A
       particular  module  may  be  used  in  several  sections.   An  option  string of undefined format may be
       specified, it will then be passed to the module upon initialization, see the MODULES section to find  out
       if a module accepts any option.

       If  host-name  and  ip-address  fields  are  specified, then the module will only be used for connections
       matching one of the fields given in the configuration.  An entry prefixed with the character !  indicates
       a negative match.  IP addresses are checked first.

       Port  is  mandatory  for socks and webproxy modules and not used in others.  It tells module what port it
       should connect to to do its work.

       If no host nor ip entry is specified, then the module will always be used.

       Reason is text to send to clients rejected by given module.

       When writing a configuration file, one should always verify the syntax using the iauth program  to  avoid
       later problems.

IAUTH OPTIONS

       timeout = <seconds>
              This allows one to specify how much time each module has to complete its work for each connection.
              This option can also be specified individually for each module. The default is 30 seconds.

       required
              By specifying this keyword, the IRC server is told not to accept new user connections  unless  the
              authentication  is  handled by iauth.  This does NOT mean that the server will wait forever to get
              the data from iauth, see the notimeout option.

       notimeout
              By specifying this keyword, the IRC server is told not to accept a user connection if iauth hasn't
              finished its work in time. Note that modules specified after delayed keyword are not considered.

       extinfo
              This  keyword  allows  extra  information  (user supplied username, and eventually password) to be
              received by iauth from the server.  This is only useful if a  module  using  this  information  is
              loaded.

       delayed
              All  modules  below  this  keyword will run in "delayed" execution mode. This means that ircd gets
              (fake) message that iauth is done with this client so that it allows it. Modules however  do  work
              as  usual and upon deciding that this client should be removed, message is sent to ircd and client
              removed.

       shared <name> <mod_name.so>
              If iauth was compiled with Dynamically Shared Module support, it can be told to dynamically load a
              module using this option.  The module can then be loaded.

MODULES

       pipe   This  module is provided as a replacement to the (now obsolete) R configuration lines supported by
              the IRC daemon.  It runs an external program with the  client  IP  and  port  as  arguments.   The
              program should output either 'Y' (Yes, let the client in), or 'N' (No, don't let them in).

              Note  that  this  module  is  quite  expensive  as it forks a separate process for each connection
              received by the IRC daemon.

              This module requires the following option: prog=/path/to/external/program

       socks  This module performs a basic check to verify that the host where the  connection  originated  from
              doesn't  run  a  SOCKS  v4 or v5 proxy server on a given in configuration port that is open to the
              world.  It is useful to reject abusive clients using  a  relay  to  evade  kill  lines  and  bans.
              Multiple instances (with different ports) are allowed.

              This module understands ten options: reject to reject connections originating from a host where an
              open proxy was detected, log to log hostnames where an open proxy is detected.   protocol  to  log
              protocol  errors  paranoid  to  consider  proxies which deny the request because of a userid/ident
              mismatch to be OPEN proxies.  megaparanoid which is paranoid plus it  considers  all  proxies  not
              explicitly  stating  they  are  closed  to  be  OPEN proxies -- that includes all protocol errors,
              unexpected results etc.  cache[=value] to set the cache lifetime in minutes.  By default,  caching
              is  enabled  for  30  minutes.   A  value of 0 disables caching.  careful to make sure socks v5 is
              properly configured with IP rulesets.  Without this parameter, module  will  not  send  additional
              query  and assume first positive answer as valid.  v4only to check only socks v4.  v5only to check
              only socks v5.

       rfc931 This module is for authentication TCP connections using the protocol defined in  RFC  1413  (which
              obsoletes RFC 931).  It is always loaded, and does not recognize the host nor ip fields.

       lhex   This  module acts as a proxy, communicating with a LHEx server to perform authentication of client
              connections.  It takes a single (mandatory) option, which is the IP-address of the LHEx server  to
              use.

       webproxy
              This  module performs a basic HTTP CONNECT to verify that the host where the connection originated
              from doesn't run an open WWW proxy.  It is useful to reject abusive clients using a relay to evade
              kill lines and bans.  Multiple instances (with different ports) are allowed.

              This  module  understands five options: reject to reject connections originating from a host where
              an open proxy was detected.  log to log hostnames where an open proxy is detected.   cache[=value]
              to  set the cache lifetime in minutes.  By default, caching is enabled for 30 minutes.  A value of
              0 disables caching.  careful to make sure  that  we  connected  to  our  own  ircd;  without  this
              parameter,  module  will  accept  any  "HTTP/1.? 200" with an exception of servers sending "Date:"
              header along (which is common with some Apache+PHP configurations).

EXAMPLE

       The following file will cause the IRC daemon to reject all connections originating from a system where an
       open  proxy  is running for hosts within *.fr and *.enserb.u-bordeaux.fr but not for other hosts matching
       *.u-bordeaux.fr.  For all connections, an ident lookup (RFC 1413) will be performed as well  as  checking
       for WWW proxy on port 8080 and 3128.  In addition, every connection is authenticated with the LHEx server
       at IP-address 127.0.0.1. Client will be let in after ident and lhex are done but  if  socks  or  webproxy
       finds an open proxy, client will be removed asap.

              module rfc931

              module lhex
                      option = 127.0.0.1

              delayed

              module socks
                      option = reject,paranoid
                      host = *.enserb.u-bordeaux.fr
                      host = !*.u-bordeaux.fr
                      host = *.fr
                      port = 1080

              module webproxy
                      option = reject
                      port = 8080

              module webproxy
                      option = reject,careful
                      port = 3128

CAVEATS

       When  the option extinfo is set, connections registering as a server or a service with the IRC server are
       not guaranteed to receive the "user" authentication provided by modules (such as the rfc931 module).

       (c) 1998,1999 Christophe Kalt

       For full COPYRIGHT see LICENSE file with IRC package.

FILES

       "iauth.conf"

SEE ALSO

       iauth(8)

AUTHOR

       Christophe Kalt.

                                          $Date: 2004/12/16 16:14:06 $                             IAUTH.CONF(5)