Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
IAUTH.CONF(5)		      File Formats Manual		 IAUTH.CONF(5)

NAME
       iauth.conf - The	Internet Relay Chat Authentication Configuration File

DESCRIPTION
       The  iauth.conf file is read by the iauth program upon startup, it con-
       tains the list of modules that should be	used to	authenticate a partic-
       ular  connection.  The list is ordered, which means that	the first mod-
       ule to successfully authenticate	a connection will be the  last	to  be
       tried.

       The  file  is  divided in sections, the first section is	used for iauth
       options,	each subsequent	section	specifies a module with	 eventual  op-
       tions using the following format:

	      module module-name
	      [TAB]option = string
	      [TAB]host	= host-name
	      [TAB]ip =	ip-address
	      [TAB]timeout = value
	      [TAB]port	= value
	      [TAB]reason = string

       The  section  ends  with	 an empty line.	 The module-name defines which
       module the section applies to.  A particular module may be used in sev-
       eral  sections.	An option string of undefined format may be specified,
       it will then be passed to the module upon initialization, see the  MOD-
       ULES section to find out	if a module accepts any	option.

       If  host-name and ip-address fields are specified, then the module will
       only be used for	connections matching one of the	fields	given  in  the
       configuration.  An entry	prefixed with the character ! indicates	a neg-
       ative match.  IP	addresses are checked first.

       Port is mandatory for socks and webproxy	modules	and not	used  in  oth-
       ers.  It	tells module what port it should connect to to do its work.

       If  no  host  nor ip entry is specified,	then the module	will always be
       used.

       Reason is text to send to clients rejected by given module.

       When writing a configuration file, one should always verify the	syntax
       using the iauth program to avoid	later problems.

IAUTH OPTIONS
       timeout = <seconds>
	      This allows to specify how much time each	module has to complete
	      its work for each	connection.  This option can also be specified
	      individually for each module.  The default is 30 seconds.

       required
	      By specifying this keyword, the IRC server is told not to	accept
	      new user connections unless the  authentication  is  handled  by
	      iauth.   This does NOT mean that the server will wait forever to
	      get the data from	iauth, see the notimeout option.

       notimeout
	      By specifying this keyword, the IRC server is told not to	accept
	      a	 user  connection  if  iauth hasn't finished its work in time.
	      Note that	modules	specified after	delayed	keyword	are  not  con-
	      sidered.

       extinfo
	      This  keyword  allows extra information (user supplied username,
	      and eventually password)	to  be	received  by  iauth  from  the
	      server.	This is	only useful if a module	using this information
	      is loaded.

       delayed
	      All modules below	this keyword will run in  "delayed"  execution
	      mode.  This  means  that	ircd gets (fake) message that iauth is
	      done with	this client so that it allows it. Modules  however  do
	      work  as	usual and upon deciding	that this client should	be re-
	      moved, message is	sent to	ircd and client	removed.

       shared <name> <mod_name.so>
	      If iauth was compiled with Dynamically Shared Module support, it
	      can be told to dynamically load a	module using this option.  The
	      module can then be loaded.

MODULES
       pipe   This module is provided as a replacement to the (now obsolete) R
	      configuration lines supported by the IRC daemon.	It runs	an ex-
	      ternal program with the client IP	and port  as  arguments.   The
	      program  should  output  either 'Y' (Yes,	let the	client in), or
	      'N' (No, don't let them in).

	      Note that	this module is quite expensive as it forks a  separate
	      process for each connection received by the IRC daemon.

	      This  module requires the	following option: prog=/path/to/exter-
	      nal/program

       socks  This module performs a basic check to verify that	the host where
	      the  connection  originated  from	 doesn't  run a	SOCKS v4 or v5
	      proxy server on a	given in configuration port that  is  open  to
	      the world.  It is	useful to reject abusive clients using a relay
	      to evade kill lines and bans.  Multiple instances	(with  differ-
	      ent ports) are allowed.

	      This  module  understands	 ten options: reject to	reject connec-
	      tions originating	from a host where an open proxy	was  detected,
	      log  to log hostnames where an open proxy	is detected.  protocol
	      to log protocol errors paranoid to consider proxies  which  deny
	      the  request because of a	userid/ident mismatch to be OPEN prox-
	      ies.  megaparanoid which is paranoid plus	it considers all prox-
	      ies not explicitly stating they are closed to be OPEN proxies --
	      that includes  all  protocol  errors,  unexpected	 results  etc.
	      cache[=value] to set the cache lifetime in minutes.  By default,
	      caching is enabled for  30  minutes.   A	value  of  0  disables
	      caching.	 careful  to make sure socks v5	is properly configured
	      with IP rulesets.	 Without this parameter, module	will not  send
	      additional  query	 and  assume  first  positive answer as	valid.
	      v4only to	check only socks v4.  v5only to	check only socks v5.

       rfc931 This module is for authentication	TCP connections	using the pro-
	      tocol  defined in	RFC 1413 (which	obsoletes RFC 931).  It	is al-
	      ways loaded, and does not	recognize the host nor ip fields.

       lhex   This module acts as a proxy, communicating with a	LHEx server to
	      perform authentication of	client connections.  It	takes a	single
	      (mandatory) option, which	is the IP-address of the  LHEx	server
	      to use.

       webproxy
	      This  module  performs  a	 basic HTTP CONNECT to verify that the
	      host where the connection	originated from	doesn't	 run  an  open
	      WWW proxy.  It is	useful to reject abusive clients using a relay
	      to evade kill lines and bans.  Multiple instances	(with  differ-
	      ent ports) are allowed.

	      This  module  understands	five options: reject to	reject connec-
	      tions originating	from a host where an open proxy	was  detected.
	      log   to	 log  hostnames	 where	an  open  proxy	 is  detected.
	      cache[=value] to set the cache lifetime in minutes.  By default,
	      caching  is  enabled  for	 30  minutes.	A  value of 0 disables
	      caching.	careful	to make	sure that  we  connected  to  our  own
	      ircd;  without  this parameter, module will accept any "HTTP/1.?
	      200" with	an exception of	servers	sending	"Date:"	 header	 along
	      (which is	common with some Apache+PHP configurations).

EXAMPLE
       The  following file will	cause the IRC daemon to	reject all connections
       originating from	a system where an open	proxy  is  running  for	 hosts
       within *.fr and *.enserb.u-bordeaux.fr but not for other	hosts matching
       *.u-bordeaux.fr.	 For all connections, an ident lookup (RFC 1413)  will
       be  performed  as well as checking for WWW proxy	on port	8080 and 3128.
       In addition, every connection is	authenticated with the LHEx server  at
       IP-address  127.0.0.1.  Client  will be let in after ident and lhex are
       done but	if socks or webproxy finds an open proxy, client will  be  re-
       moved asap.

	      module rfc931

	      module lhex
		      option = 127.0.0.1

	      delayed

	      module socks
		      option = reject,paranoid
		      host = *.enserb.u-bordeaux.fr
		      host = !*.u-bordeaux.fr
		      host = *.fr
		      port = 1080

	      module webproxy
		      option = reject
		      port = 8080

	      module webproxy
		      option = reject,careful
		      port = 3128

CAVEATS
       When  the option	extinfo	is set,	connections registering	as a server or
       a service with the IRC server are not guaranteed	to receive the	"user"
       authentication provided by modules (such	as the rfc931 module).

COPYRIGHT
       (c) 1998,1999 Christophe	Kalt

       For full	COPYRIGHT see LICENSE file with	IRC package.

FILES
       "iauth.conf"

SEE ALSO
       iauth(8)

AUTHOR
       Christophe Kalt.

			 $Date:	2004/12/16 16:14:06 $		 IAUTH.CONF(5)

NAME | DESCRIPTION | IAUTH OPTIONS | MODULES | EXAMPLE | CAVEATS | COPYRIGHT | FILES | SEE ALSO | AUTHOR

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=iauth.conf&sektion=5&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help