IAUTH.CONF(5)IAUTH.CONF(5)NAMEiauth.conf - The Internet Relay Chat Authentication Configuration File
DESCRIPTION
The iauth.conf file is read by the iauth program upon startup, it con‐
tains the list of modules that should be used to authenticate a partic‐
ular connection. The list is ordered, which means that the first mod‐
ule to successfully authenticate a connection will be the last to be
tried.
The file is divided in sections, the first section is used for iauth
options, each subsequent section specifies a module with eventual
options using the following format:
module module-name
[TAB]option = string
[TAB]host = host-name
[TAB]ip = ip-address
[TAB]timeout = value
[TAB]port = value
[TAB]reason = string
The section ends with an empty line. The module-name defines which
module the section applies to. A particular module may be used in sev‐
eral sections. An option string of undefined format may be specified,
it will then be passed to the module upon initialization, see the MOD‐
ULES section to find out if a module accepts any option.
If host-name and ip-address fields are specified, then the module will
only be used for connections matching one of the fields given in the
configuration. An entry prefixed with the character ! indicates a neg‐
ative match. IP addresses are checked first.
Port is mandatory for socks and webproxy modules and not used in oth‐
ers. It tells module what port it should connect to to do its work.
If no host nor ip entry is specified, then the module will always be
used.
Reason is text to send to clients rejected by given module.
When writing a configuration file, one should always verify the syntax
using the iauth program to avoid later problems.
IAUTH OPTIONS
timeout = <seconds>
This allows to specify how much time each module has to complete
its work for each connection. This option can also be specified
individually for each module. The default is 30 seconds.
required
By specifying this keyword, the IRC server is told not to accept
new user connections unless the authentication is handled by
iauth. This does NOT mean that the server will wait forever to
get the data from iauth, see the notimeout option.
notimeout
By specifying this keyword, the IRC server is told not to accept
a user connection if iauth hasn't finished its work in time.
Note that modules specified after delayed keyword are not con‐
sidered.
extinfo
This keyword allows extra information (user supplied username,
and eventually password) to be received by iauth from the
server. This is only useful if a module using this information
is loaded.
delayed
All modules below this keyword will run in "delayed" execution
mode. This means that ircd gets (fake) message that iauth is
done with this client so that it allows it. Modules however do
work as usual and upon deciding that this client should be
removed, message is sent to ircd and client removed.
shared <name> <mod_name.so>
If iauth was compiled with Dynamically Shared Module support, it
can be told to dynamically load a module using this option. The
module can then be loaded.
MODULES
pipe This module is provided as a replacement to the (now obsolete) R
configuration lines supported by the IRC daemon. It runs an
external program with the client IP and port as arguments. The
program should output either 'Y' (Yes, let the client in), or
'N' (No, don't let them in).
Note that this module is quite expensive as it forks a separate
process for each connection received by the IRC daemon.
This module requires the following option: prog=/path/to/exter‐
nal/program
socks This module performs a basic check to verify that the host where
the connection originated from doesn't run a SOCKS v4 or v5
proxy server on a given in configuration port that is open to
the world. It is useful to reject abusive clients using a relay
to evade kill lines and bans. Multiple instances (with differ‐
ent ports) are allowed.
This module understands ten options: reject to reject connec‐
tions originating from a host where an open proxy was detected,
log to log hostnames where an open proxy is detected. protocol
to log protocol errors paranoid to consider proxies which deny
the request because of a userid/ident mismatch to be OPEN prox‐
ies. megaparanoid which is paranoid plus it considers all prox‐
ies not explicitly stating they are closed to be OPEN proxies --
that includes all protocol errors, unexpected results etc.
cache[=value] to set the cache lifetime in minutes. By default,
caching is enabled for 30 minutes. A value of 0 disables
caching. careful to make sure socks v5 is properly configured
with IP rulesets. Without this parameter, module will not send
additional query and assume first positive answer as valid.
v4only to check only socks v4. v5only to check only socks v5.
rfc931 This module is for authentication TCP connections using the pro‐
tocol defined in RFC 1413 (which obsoletes RFC 931). It is
always loaded, and does not recognize the host nor ip fields.
lhex This module acts as a proxy, communicating with a LHEx server to
perform authentication of client connections. It takes a single
(mandatory) option, which is the IP-address of the LHEx server
to use.
webproxy
This module performs a basic HTTP CONNECT to verify that the
host where the connection originated from doesn't run an open
WWW proxy. It is useful to reject abusive clients using a relay
to evade kill lines and bans. Multiple instances (with differ‐
ent ports) are allowed.
This module understands five options: reject to reject connec‐
tions originating from a host where an open proxy was detected.
log to log hostnames where an open proxy is detected.
cache[=value] to set the cache lifetime in minutes. By default,
caching is enabled for 30 minutes. A value of 0 disables
caching. careful to make sure that we connected to our own
ircd; without this parameter, module will accept any "HTTP/1.?
200" with an exception of servers sending "Date:" header along
(which is common with some Apache+PHP configurations).
EXAMPLE
The following file will cause the IRC daemon to reject all connections
originating from a system where an open proxy is running for hosts
within *.fr and *.enserb.u-bordeaux.fr but not for other hosts matching
*.u-bordeaux.fr. For all connections, an ident lookup (RFC 1413) will
be performed as well as checking for WWW proxy on port 8080 and 3128.
In addition, every connection is authenticated with the LHEx server at
IP-address 127.0.0.1. Client will be let in after ident and lhex are
done but if socks or webproxy finds an open proxy, client will be
removed asap.
module rfc931
module lhex
option = 127.0.0.1
delayed
module socks
option = reject,paranoid
host = *.enserb.u-bordeaux.fr
host = !*.u-bordeaux.fr
host = *.fr
port = 1080
module webproxy
option = reject
port = 8080
module webproxy
option = reject,careful
port = 3128
CAVEATS
When the option extinfo is set, connections registering as a server or
a service with the IRC server are not guaranteed to receive the "user"
authentication provided by modules (such as the rfc931 module).
COPYRIGHT
(c) 1998,1999 Christophe Kalt
For full COPYRIGHT see LICENSE file with IRC package.
FILES
"iauth.conf"
SEE ALSOiauth(8)AUTHOR
Christophe Kalt.
$Date: 2004/12/16 16:14:06 $ IAUTH.CONF(5)
