1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
.\" @(#)$Id: iauth.conf.5,v 1.16 1999/07/04 22:09:09 kalt Exp $
.TH IAUTH.CONF 5 "$Date: 1999/07/04 22:09:09 $"
.SH NAME
iauth.conf \- The Internet Relay Chat Authentication Configuration File
.SH DESCRIPTION
.LP
The \fIiauth.conf\fP file is read by the \fIiauth\fP program upon startup,
it contains the list of modules that should be used to authenticate a
particular connection. The list is ordered, which means that the first
module to successfully authenticate a connection will be the last to be
tried.
The file is divided in sections, the first section is used for iauth
options, each subsequent section specifies a module with eventual options
using the following format:
.RS
.nf
module\ \fImodule-name\fP
[TAB]option = \fIstring\fP
[TAB]host = \fIhost-name\fP
[TAB]ip = \fIip-address\fP
[TAB]timeout = \fIvalue\fP
.fi
.RE
The section ends with an empty line. The \fImodule-name\fP defines which
module the section applies to. A particular module may be used in several
sections. A \fIstring\fP of undefined format may be specified, it will
then be passed to the module upon initialization, see the MODULES section
to find out if a module accepts any option.
If \fIhost-name\fP and \fIip-address\fP fields are specified, then the
module will only be used for connections matching one of the fields given
in the configuration. An entry prefixed with the character ! indicates a
negative match. IP addresses are checked first.
If no host nor ip entry is specified, then the module will always be used.
When writing a configuration file, one should \fBalways\fP verify the
syntax using the \fIiauth\fP program to avoid later problems.
.SH IAUTH OPTIONS
.TP
.B timeout = <seconds>
This allows to specify how much time each module has to complete its work
for each connection. This option can also be specified individually for
each module. The default is 30 seconds.
.TP
.B required
By specifying this keyword, the IRC server is told not to accept new user
connections unless the authentication is handled by \fIiauth\fP. This does
NOT mean that the server will wait forever to get the data from iauth, see
the \fInotimeout\fP option.
.TP
.B notimeout
By specifying this keyword, the IRC server is told not to accept new user
connections if \fIiauth\fP hasn't finished its work in time.
.TP
.B extinfo
This keyword allows extra information (user supplied username, and
eventually password) to be received by \fIiauth\fP from the server. This
is only useful is a module using this information is loaded.
.TP
.B shared <name> <mod_name.so>
If iauth was compiled with Dynamically Shared Module support, it can be
told to dynamically load a module using this option. The module can then
be loaded.
.SH MODULES
.TP
.B pipe
This module is provided as a replacement to the (now obsolete) R
configuration lines supported by the IRC daemon. It runs an external
program with the client IP and port as arguments. The program should
output either 'Y' (Yes, let the client in), or 'N' (No, don't let them
in).
Note that this module is quite expensive as it forks a separate process for
each connection received by the IRC daemon.
This module requires the following option:
.B prog=/path/to/external/program
.TP
.B socks
This module performs a basic check to verify that the host where the
connection originated from doesn't run a SOCKS v4 or v5 proxy server on
port 1080 that is open to the world. It is useful to reject abusive
clients using a relay to evade kill lines and bans.
This module understands seven options:
.B reject
to reject connections originating from a host where an open proxy
was detected,
.B log
to log hostnames where an open proxy is detected.
.B paranoid
to consider proxies which deny the request because of a userid/ident
mismatch to be OPEN proxies.
.B cache[=value]
to set the cache lifetime in minutes. By default, caching is enabled for
30 minutes. A value of 0 disables caching.
.B careful
to make sure socks v5 is properly configured with IP rulesets. Without
this parameter, module will not send additional query and assume first
positive answer as valid.
.B v4only
to check only socks v4.
.B v5only
to check only socks v5.
.TP
.B rfc931
This module is for authentication TCP connections using the protocol
defined in RFC 1413 (which obsoletes RFC 931). It is always loaded, and
does not recognize the \fIhost\fP nor \fIip\fP fields.
.TP
.B lhex
This module acts as a proxy, communicating with a LHEx server to perform
authentication of client connections. It takes a single (mandatory)
option, which is the IP-address of the LHEx server to use.
.SH EXAMPLE
The following file will cause the IRC daemon to reject all connections
originating from a system where an open proxy is running for hosts within
*.fr and *.enserb.u-bordeaux.fr but not for other hosts matching
*.u-bordeaux.fr. For all connections, an ident lookup (RFC 1413) will be
performed. In addition, every connection is authenticated with the LHEx
server at IP-address 127.0.0.1.
.RS
.nf
module socks
option = reject,paranoid
host = *.enserb.u-bordeaux.fr
host = !*.u-bordeaux.fr
host = *.fr
module rfc931
module lhex
option = 127.0.0.1
.fi
.RE
.SH CAVEATS
When the option
.B extinfo
is set, connections registering as a server or a service with the IRC
server are not guaranteed to receive the "user" authentication provided by
modules (such as the rfc931 module).
.RE
.SH COPYRIGHT
(c) 1998,1999 Christophe Kalt
.LP
For full COPYRIGHT see LICENSE file with IRC package.
.LP
.RE
.SH FILES
"iauth.conf"
.SH "SEE ALSO"
iauth(8)
.SH AUTHOR
Christophe Kalt.
|