]>
Commit | Line | Data |
---|---|---|
3bd189cb JR |
1 | .\" @(#)$Id: iauth.conf.5,v 1.23 2004/12/16 16:14:06 chopin Exp $ |
2 | .TH IAUTH.CONF 5 "$Date: 2004/12/16 16:14:06 $" | |
3 | .SH NAME | |
4 | iauth.conf \- The Internet Relay Chat Authentication Configuration File | |
5 | .SH DESCRIPTION | |
6 | .LP | |
7 | The \fIiauth.conf\fP file is read by the \fIiauth\fP program upon startup, | |
8 | it contains the list of modules that should be used to authenticate a | |
9 | particular connection. The list is ordered, which means that the first | |
10 | module to successfully authenticate a connection will be the last to be | |
11 | tried. | |
12 | ||
13 | The file is divided in sections, the first section is used for iauth | |
14 | options, each subsequent section specifies a module with eventual options | |
15 | using the following format: | |
16 | ||
17 | .RS | |
18 | .nf | |
19 | module\ \fImodule-name\fP | |
20 | [TAB]option = \fIstring\fP | |
21 | [TAB]host = \fIhost-name\fP | |
22 | [TAB]ip = \fIip-address\fP | |
23 | [TAB]timeout = \fIvalue\fP | |
24 | [TAB]port = \fIvalue\fP | |
25 | [TAB]reason = \fIstring\fP | |
26 | ||
27 | .fi | |
28 | .RE | |
29 | The section ends with an empty line. The \fImodule-name\fP defines which | |
30 | module the section applies to. A particular module may be used in several | |
31 | sections. An option \fIstring\fP of undefined format may be specified, it will | |
32 | then be passed to the module upon initialization, see the MODULES section | |
33 | to find out if a module accepts any option. | |
34 | ||
35 | If \fIhost-name\fP and \fIip-address\fP fields are specified, then the | |
36 | module will only be used for connections matching one of the fields given | |
37 | in the configuration. An entry prefixed with the character ! indicates a | |
38 | negative match. IP addresses are checked first. | |
39 | ||
40 | Port is mandatory for socks and webproxy modules and not used in others. | |
41 | It tells module what port it should connect to to do its work. | |
42 | ||
43 | If no host nor ip entry is specified, then the module will always be used. | |
44 | ||
45 | Reason is text to send to clients rejected by given module. | |
46 | ||
47 | When writing a configuration file, one should \fBalways\fP verify the | |
48 | syntax using the \fIiauth\fP program to avoid later problems. | |
49 | .SH IAUTH OPTIONS | |
50 | .TP | |
51 | .B timeout = <seconds> | |
52 | This allows to specify how much time each module has to complete its work | |
53 | for each connection. This option can also be specified individually for | |
54 | each module. The default is 30 seconds. | |
55 | .TP | |
56 | .B required | |
57 | By specifying this keyword, the IRC server is told not to accept new user | |
58 | connections unless the authentication is handled by \fIiauth\fP. This does | |
59 | NOT mean that the server will wait forever to get the data from iauth, see | |
60 | the \fInotimeout\fP option. | |
61 | .TP | |
62 | .B notimeout | |
63 | By specifying this keyword, the IRC server is told not to accept a user | |
64 | connection if \fIiauth\fP hasn't finished its work in time. Note that | |
65 | modules specified after \fIdelayed\fP keyword are not considered. | |
66 | .TP | |
67 | .B extinfo | |
68 | This keyword allows extra information (user supplied username, and | |
69 | eventually password) to be received by \fIiauth\fP from the server. This | |
70 | is only useful if a module using this information is loaded. | |
71 | .TP | |
72 | .B delayed | |
73 | All modules below this keyword will run in "delayed" execution mode. This | |
74 | means that ircd gets (fake) message that iauth is done with this client | |
75 | so that it allows it. Modules however do work as usual and upon deciding that this | |
76 | client should be removed, message is sent to ircd and client removed. | |
77 | .TP | |
78 | .B shared <name> <mod_name.so> | |
79 | If iauth was compiled with Dynamically Shared Module support, it can be | |
80 | told to dynamically load a module using this option. The module can then | |
81 | be loaded. | |
82 | ||
83 | .SH MODULES | |
84 | .TP | |
85 | .B pipe | |
86 | This module is provided as a replacement to the (now obsolete) R | |
87 | configuration lines supported by the IRC daemon. It runs an external | |
88 | program with the client IP and port as arguments. The program should | |
89 | output either 'Y' (Yes, let the client in), or 'N' (No, don't let them | |
90 | in). | |
91 | ||
92 | Note that this module is quite expensive as it forks a separate process for | |
93 | each connection received by the IRC daemon. | |
94 | ||
95 | This module requires the following option: | |
96 | .B prog=/path/to/external/program | |
97 | .TP | |
98 | .B socks | |
99 | This module performs a basic check to verify that the host where the | |
100 | connection originated from doesn't run a SOCKS v4 or v5 proxy server on | |
101 | a given in configuration port that is open to the world. | |
102 | It is useful to reject abusive clients using a relay to evade kill lines and bans. | |
103 | Multiple instances (with different ports) are allowed. | |
104 | ||
105 | This module understands ten options: | |
106 | .B reject | |
107 | to reject connections originating from a host where an open proxy | |
108 | was detected, | |
109 | .B log | |
110 | to log hostnames where an open proxy is detected. | |
111 | .B protocol | |
112 | to log protocol errors | |
113 | .B paranoid | |
114 | to consider proxies which deny the request because of a userid/ident | |
115 | mismatch to be OPEN proxies. | |
116 | .B megaparanoid | |
117 | which is paranoid plus it considers all proxies not explicitly stating they | |
118 | are closed to be OPEN proxies -- that includes all protocol errors, unexpected | |
119 | results etc. | |
120 | .B cache[=value] | |
121 | to set the cache lifetime in minutes. By default, caching is enabled for | |
122 | 30 minutes. A value of 0 disables caching. | |
123 | .B careful | |
124 | to make sure socks v5 is properly configured with IP rulesets. Without | |
125 | this parameter, module will not send additional query and assume first | |
126 | positive answer as valid. | |
127 | .B v4only | |
128 | to check only socks v4. | |
129 | .B v5only | |
130 | to check only socks v5. | |
131 | .TP | |
132 | .B rfc931 | |
133 | This module is for authentication TCP connections using the protocol | |
134 | defined in RFC 1413 (which obsoletes RFC 931). It is always loaded, and | |
135 | does not recognize the \fIhost\fP nor \fIip\fP fields. | |
136 | .TP | |
137 | .B lhex | |
138 | This module acts as a proxy, communicating with a LHEx server to perform | |
139 | authentication of client connections. It takes a single (mandatory) | |
140 | option, which is the IP-address of the LHEx server to use. | |
141 | .TP | |
142 | .B webproxy | |
143 | This module performs a basic HTTP CONNECT to verify that the host where the | |
144 | connection originated from doesn't run an open WWW proxy. | |
145 | It is useful to reject abusive clients using a relay to evade kill lines and bans. | |
146 | Multiple instances (with different ports) are allowed. | |
147 | ||
148 | This module understands five options: | |
149 | .B reject | |
150 | to reject connections originating from a host where an open proxy was detected. | |
151 | .B log | |
152 | to log hostnames where an open proxy is detected. | |
153 | .B cache[=value] | |
154 | to set the cache lifetime in minutes. By default, caching is enabled for | |
155 | 30 minutes. A value of 0 disables caching. | |
156 | .B careful | |
157 | to make sure that we connected to our own ircd; without | |
158 | this parameter, module will accept any "HTTP/1.? 200" with an exception | |
159 | of servers sending "Date:" header along (which is common with some | |
160 | Apache+PHP configurations). | |
161 | ||
162 | .SH EXAMPLE | |
163 | The following file will cause the IRC daemon to reject all connections | |
164 | originating from a system where an open proxy is running for hosts within | |
165 | *.fr and *.enserb.u-bordeaux.fr but not for other hosts matching | |
166 | *.u-bordeaux.fr. For all connections, an ident lookup (RFC 1413) will be | |
167 | performed as well as checking for WWW proxy on port 8080 and 3128. | |
168 | In addition, every connection is authenticated with the LHEx | |
169 | server at IP-address 127.0.0.1. Client will be let in after ident and | |
170 | lhex are done but if socks or webproxy finds an open proxy, client will | |
171 | be removed asap. | |
172 | ||
173 | .RS | |
174 | .nf | |
175 | module rfc931 | |
176 | ||
177 | module lhex | |
178 | option = 127.0.0.1 | |
179 | ||
180 | delayed | |
181 | ||
182 | module socks | |
183 | option = reject,paranoid | |
184 | host = *.enserb.u-bordeaux.fr | |
185 | host = !*.u-bordeaux.fr | |
186 | host = *.fr | |
187 | port = 1080 | |
188 | ||
189 | module webproxy | |
190 | option = reject | |
191 | port = 8080 | |
192 | ||
193 | module webproxy | |
194 | option = reject,careful | |
195 | port = 3128 | |
196 | ||
197 | .fi | |
198 | .RE | |
199 | .SH CAVEATS | |
200 | When the option | |
201 | .B extinfo | |
202 | is set, connections registering as a server or a service with the IRC | |
203 | server are not guaranteed to receive the "user" authentication provided by | |
204 | modules (such as the rfc931 module). | |
205 | .RE | |
206 | .SH COPYRIGHT | |
207 | (c) 1998,1999 Christophe Kalt | |
208 | .LP | |
209 | For full COPYRIGHT see LICENSE file with IRC package. | |
210 | .LP | |
211 | .RE | |
212 | .SH FILES | |
213 | "iauth.conf" | |
214 | .SH "SEE ALSO" | |
215 | iauth(8) | |
216 | .SH AUTHOR | |
217 | Christophe Kalt. |