Provided by: ircd-irc2_2.11.2p2+dfsg-2_amd64 bug

NAME

       iauth.conf - The Internet Relay Chat Authentication Configuration File

DESCRIPTION

       The  iauth.conf  file  is  read by the iauth program upon startup, it contains the list of
       modules that should be used to authenticate a particular connection.  The list is ordered,
       which  means  that  the first module to successfully authenticate a connection will be the
       last to be tried.

       The file is divided in sections, the  first  section  is  used  for  iauth  options,  each
       subsequent section specifies a module with eventual options using the following format:

              module module-name
              [TAB]option = string
              [TAB]host = host-name
              [TAB]ip = ip-address
              [TAB]timeout = value
              [TAB]port = value
              [TAB]reason = string

       The  section  ends  with  an empty line.  The module-name defines which module the section
       applies to.  A particular module may be used in several sections.   An  option  string  of
       undefined   format  may  be  specified,  it  will  then  be  passed  to  the  module  upon
       initialization, see the MODULES section to find out if a module accepts any option.

       If host-name and ip-address fields are specified, then the module will only  be  used  for
       connections matching one of the fields given in the configuration.  An entry prefixed with
       the character ! indicates a negative match.  IP addresses are checked first.

       Port is mandatory for socks and webproxy modules and not used in others.  It tells  module
       what port it should connect to to do its work.

       If no host nor ip entry is specified, then the module will always be used.

       Reason is text to send to clients rejected by given module.

       When  writing  a  configuration  file, one should always verify the syntax using the iauth
       program to avoid later problems.

IAUTH OPTIONS

       timeout = <seconds>
              This allows to specify how much time each module has to complete its work for  each
              connection.   This  option can also be specified individually for each module.  The
              default is 30 seconds.

       required
              By specifying this keyword,  the  IRC  server  is  told  not  to  accept  new  user
              connections unless the authentication is handled by iauth.  This does NOT mean that
              the server will wait forever to get the data from iauth, see the notimeout option.

       notimeout
              By specifying this keyword, the IRC server is told not to accept a user  connection
              if  iauth  hasn't  finished  its  work  in  time. Note that modules specified after
              delayed keyword are not considered.

       extinfo
              This keyword allows extra  information  (user  supplied  username,  and  eventually
              password) to be received by iauth from the server.  This is only useful if a module
              using this information is loaded.

       delayed
              All modules below this keyword will run in "delayed"  execution  mode.  This  means
              that ircd gets (fake) message that iauth is done with this client so that it allows
              it. Modules however do work as usual and upon deciding that this client  should  be
              removed, message is sent to ircd and client removed.

       shared <name> <mod_name.so>
              If  iauth  was  compiled  with Dynamically Shared Module support, it can be told to
              dynamically load a module using this option.  The module can then be loaded.

MODULES

       pipe   This module is provided as a replacement to  the  (now  obsolete)  R  configuration
              lines  supported by the IRC daemon.  It runs an external program with the client IP
              and port as arguments.  The program should output either 'Y' (Yes, let  the  client
              in), or 'N' (No, don't let them in).

              Note  that  this  module is quite expensive as it forks a separate process for each
              connection received by the IRC daemon.

              This module requires the following option: prog=/path/to/external/program

       socks  This module performs a basic check to verify that the  host  where  the  connection
              originated  from  doesn't  run  a  SOCKS  v4  or  v5  proxy  server  on  a given in
              configuration port that is open to the world.   It  is  useful  to  reject  abusive
              clients  using  a  relay  to  evade  kill lines and bans.  Multiple instances (with
              different ports) are allowed.

              This module understands ten options: reject to reject connections originating  from
              a  host  where an open proxy was detected, log to log hostnames where an open proxy
              is detected.  protocol to log protocol errors paranoid to  consider  proxies  which
              deny   the  request  because  of  a  userid/ident  mismatch  to  be  OPEN  proxies.
              megaparanoid which is paranoid plus it considers all proxies not explicitly stating
              they are closed to be OPEN proxies -- that includes all protocol errors, unexpected
              results etc.  cache[=value] to set the cache  lifetime  in  minutes.   By  default,
              caching is enabled for 30 minutes.  A value of 0 disables caching.  careful to make
              sure socks v5 is properly configured with IP  rulesets.   Without  this  parameter,
              module  will  not  send additional query and assume first positive answer as valid.
              v4only to check only socks v4.  v5only to check only socks v5.

       rfc931 This module is for authentication TCP connections using the protocol defined in RFC
              1413  (which  obsoletes  RFC 931).  It is always loaded, and does not recognize the
              host nor ip fields.

       lhex   This module  acts  as  a  proxy,  communicating  with  a  LHEx  server  to  perform
              authentication  of client connections.  It takes a single (mandatory) option, which
              is the IP-address of the LHEx server to use.

       webproxy
              This module performs a basic HTTP  CONNECT  to  verify  that  the  host  where  the
              connection  originated  from doesn't run an open WWW proxy.  It is useful to reject
              abusive clients using a relay to evade kill lines  and  bans.   Multiple  instances
              (with different ports) are allowed.

              This module understands five options: reject to reject connections originating from
              a host where an open proxy was detected.  log to log hostnames where an open  proxy
              is  detected.   cache[=value]  to  set  the cache lifetime in minutes.  By default,
              caching is enabled for 30 minutes.  A value of 0 disables caching.  careful to make
              sure  that we connected to our own ircd; without this parameter, module will accept
              any "HTTP/1.? 200" with an exception of servers sending "Date:" header along (which
              is common with some Apache+PHP configurations).

EXAMPLE

       The  following file will cause the IRC daemon to reject all connections originating from a
       system where an open proxy is running for hosts within *.fr and *.enserb.u-bordeaux.fr but
       not  for  other hosts matching *.u-bordeaux.fr.  For all connections, an ident lookup (RFC
       1413) will be performed as well as checking for WWW proxy  on  port  8080  and  3128.   In
       addition,  every connection is authenticated with the LHEx server at IP-address 127.0.0.1.
       Client will be let in after ident and lhex are done but if socks or webproxy finds an open
       proxy, client will be removed asap.

              module rfc931

              module lhex
                      option = 127.0.0.1

              delayed

              module socks
                      option = reject,paranoid
                      host = *.enserb.u-bordeaux.fr
                      host = !*.u-bordeaux.fr
                      host = *.fr
                      port = 1080

              module webproxy
                      option = reject
                      port = 8080

              module webproxy
                      option = reject,careful
                      port = 3128

CAVEATS

       When  the option extinfo is set, connections registering as a server or a service with the
       IRC server are not guaranteed to receive the "user"  authentication  provided  by  modules
       (such as the rfc931 module).

COPYRIGHT

       (c) 1998,1999 Christophe Kalt

       For full COPYRIGHT see LICENSE file with IRC package.

FILES

       "iauth.conf"

SEE ALSO

       iauth(8)

AUTHOR

       Christophe Kalt.

                                   $Date: 2004/12/16 16:14:06 $                     IAUTH.CONF(5)