Man Linux: Main Page and Category List

NAME

       iauth.conf - The Internet Relay Chat Authentication Configuration File

DESCRIPTION

       The  iauth.conf  file  is  read  by  the iauth program upon startup, it
       contains the list of modules that should  be  used  to  authenticate  a
       particular connection.  The list is ordered, which means that the first
       module to successfully authenticate a connection will be the last to be
       tried.

       The  file  is  divided in sections, the first section is used for iauth
       options, each subsequent  section  specifies  a  module  with  eventual
       options using the following format:

              module module-name
              [TAB]option = string
              [TAB]host = host-name
              [TAB]ip = ip-address
              [TAB]timeout = value
              [TAB]port = value
              [TAB]reason = string

       The  section  ends  with  an empty line.  The module-name defines which
       module the section applies to.  A particular  module  may  be  used  in
       several  sections.   An  option  string  of  undefined  format  may  be
       specified, it will then be passed to the  module  upon  initialization,
       see the MODULES section to find out if a module accepts any option.

       If  host-name and ip-address fields are specified, then the module will
       only be used for connections matching one of the fields  given  in  the
       configuration.   An  entry  prefixed  with  the character ! indicates a
       negative match.  IP addresses are checked first.

       Port is mandatory for socks  and  webproxy  modules  and  not  used  in
       others.  It tells module what port it should connect to to do its work.

       If no host nor ip entry is specified, then the module  will  always  be
       used.

       Reason is text to send to clients rejected by given module.

       When  writing a configuration file, one should always verify the syntax
       using the iauth program to avoid later problems.

IAUTH OPTIONS

       timeout = <seconds>
              This allows to specify how much time each module has to complete
              its work for each connection.  This option can also be specified
              individually for each module.  The default is 30 seconds.

       required
              By specifying this keyword, the IRC server is told not to accept
              new  user  connections  unless  the authentication is handled by
              iauth.  This does NOT mean that the server will wait forever  to
              get the data from iauth, see the notimeout option.

       notimeout
              By specifying this keyword, the IRC server is told not to accept
              a user connection if iauth hasn’t finished  its  work  in  time.
              Note  that  modules  specified  after  delayed  keyword  are not
              considered.

       extinfo
              This keyword allows extra information (user  supplied  username,
              and  eventually  password)  to  be  received  by  iauth from the
              server.  This is only useful if a module using this  information
              is loaded.

       delayed
              All  modules  below this keyword will run in "delayed" execution
              mode. This means that ircd gets (fake)  message  that  iauth  is
              done  with  this client so that it allows it. Modules however do
              work as usual and upon  deciding  that  this  client  should  be
              removed, message is sent to ircd and client removed.

       shared <name> <mod_name.so>
              If iauth was compiled with Dynamically Shared Module support, it
              can be told to dynamically load a module using this option.  The
              module can then be loaded.

MODULES

       pipe   This module is provided as a replacement to the (now obsolete) R
              configuration lines supported by the IRC  daemon.   It  runs  an
              external  program with the client IP and port as arguments.  The
              program should output either ’Y’ (Yes, let the  client  in),  or
              ’N’ (No, don’t let them in).

              Note  that this module is quite expensive as it forks a separate
              process for each connection received by the IRC daemon.

              This     module     requires     the      following      option:
              prog=/path/to/external/program

       socks  This module performs a basic check to verify that the host where
              the connection originated from doesn’t run  a  SOCKS  v4  or  v5
              proxy  server  on  a given in configuration port that is open to
              the world.  It is useful to reject abusive clients using a relay
              to   evade  kill  lines  and  bans.   Multiple  instances  (with
              different ports) are allowed.

              This  module  understands  ten   options:   reject   to   reject
              connections  originating  from  a  host  where an open proxy was
              detected, log to log hostnames where an open proxy is  detected.
              protocol  to  log  protocol  errors paranoid to consider proxies
              which deny the request because of a userid/ident mismatch to  be
              OPEN  proxies.  megaparanoid which is paranoid plus it considers
              all proxies not explicitly stating they are closed  to  be  OPEN
              proxies -- that includes all protocol errors, unexpected results
              etc.  cache[=value] to set the cache lifetime  in  minutes.   By
              default,  caching  is  enabled  for  30  minutes.   A value of 0
              disables caching.  careful to make sure  socks  v5  is  properly
              configured  with  IP  rulesets.   Without this parameter, module
              will not send additional query and assume first positive  answer
              as  valid.  v4only to check only socks v4.  v5only to check only
              socks v5.

       rfc931 This module is for  authentication  TCP  connections  using  the
              protocol  defined  in RFC 1413 (which obsoletes RFC 931).  It is
              always loaded, and does not recognize the host nor ip fields.

       lhex   This module acts as a proxy, communicating with a LHEx server to
              perform authentication of client connections.  It takes a single
              (mandatory) option, which is the IP-address of the  LHEx  server
              to use.

       webproxy
              This  module  performs  a  basic HTTP CONNECT to verify that the
              host where the connection originated from doesn’t  run  an  open
              WWW proxy.  It is useful to reject abusive clients using a relay
              to  evade  kill  lines  and  bans.   Multiple  instances   (with
              different ports) are allowed.

              This   module   understands   five  options:  reject  to  reject
              connections originating from a host  where  an  open  proxy  was
              detected.  log to log hostnames where an open proxy is detected.
              cache[=value] to set the cache lifetime in minutes.  By default,
              caching  is  enabled  for  30  minutes.   A  value of 0 disables
              caching.  careful to make sure that  we  connected  to  our  own
              ircd;  without  this parameter, module will accept any "HTTP/1.?
              200" with an exception of servers sending "Date:"  header  along
              (which is common with some Apache+PHP configurations).

EXAMPLE

       The  following file will cause the IRC daemon to reject all connections
       originating from a system where an open  proxy  is  running  for  hosts
       within *.fr and *.enserb.u-bordeaux.fr but not for other hosts matching
       *.u-bordeaux.fr.  For all connections, an ident lookup (RFC 1413)  will
       be  performed  as well as checking for WWW proxy on port 8080 and 3128.
       In addition, every connection is authenticated with the LHEx server  at
       IP-address  127.0.0.1.  Client  will be let in after ident and lhex are
       done but if socks or webproxy finds  an  open  proxy,  client  will  be
       removed asap.

              module rfc931

              module lhex
                      option = 127.0.0.1

              delayed

              module socks
                      option = reject,paranoid
                      host = *.enserb.u-bordeaux.fr
                      host = !*.u-bordeaux.fr
                      host = *.fr
                      port = 1080

              module webproxy
                      option = reject
                      port = 8080

              module webproxy
                      option = reject,careful
                      port = 3128

CAVEATS

       When  the option extinfo is set, connections registering as a server or
       a service with the IRC server are not guaranteed to receive the  "user"
       authentication provided by modules (such as the rfc931 module).

COPYRIGHT

       (c) 1998,1999 Christophe Kalt

       For full COPYRIGHT see LICENSE file with IRC package.

FILES

       "iauth.conf"

SEE ALSO

       iauth(8)

AUTHOR

       Christophe Kalt.

                         $Date: 2004/12/16 16:14:06 $