DESCRIPTION
The iauth.conf file is read by the iauth program upon startup, it con-
tains the list of modules that should be used to authenticate a partic-
ular connection. The list is ordered, which means that the first mod-
ule to successfully authenticate a connection will be the last to be
tried.
The file is divided in sections, the first section is used for iauth
options, each subsequent section specifies a module with eventual
options using the following format:
module module-name
[TAB]option = string
[TAB]host = host-name
[TAB]ip = ip-address
[TAB]timeout = value
The section ends with an empty line. The module-name defines which
module the section applies to. A particular module may be used in sev-
eral sections. A string of undefined format may be specified, it will
then be passed to the module upon initialization, see the MODULES sec-
tion to find out if a module accepts any option.
If host-name and ip-address fields are specified, then the module will
only be used for connections matching one of the fields given in the
configuration. An entry prefixed with the character ! indicates a neg-
ative match. IP addresses are checked first.
If no host nor ip entry is specified, then the module will always be
used.
When writing a configuration file, one should always verify the syntax
using the iauth program to avoid later problems.
IAUTH OPTIONS
timeout = <seconds>
This allows to specify how much time each module has to complete
its work for each connection. This option can also be specified
individually for each module. The default is 30 seconds.
required
By specifying this keyword, the IRC server is told not to accept
new user connections unless the authentication is handled by
iauth. This does NOT mean that the server will wait forever to
get the data from iauth, see the notimeout option.
notimeout
By specifying this keyword, the IRC server is told not to accept
new user connections if iauth hasn't finished its work in time.
extinfo
This keyword allows extra information (user supplied username,
'N' (No, don't let them in).
Note that this module is quite expensive as it forks a separate
process for each connection received by the IRC daemon.
This module requires the following option: prog=/path/to/exter-
nal/program
socks This module performs a basic check to verify that the host where
the connection originated from doesn't run a SOCKS v4 or v5
proxy server on port 1080 that is open to the world. It is use-
ful to reject abusive clients using a relay to evade kill lines
and bans.
This module understands nine options: reject to reject connec-
tions originating from a host where an open proxy was detected,
log to log hostnames where an open proxy is detected. protocol
to log protocol errors paranoid to consider proxies which deny
the request because of a userid/ident mismatch to be OPEN prox-
ies. megaparanoid which is paranoid plus it considers all prox-
ies not explicitly stating they are closed to be OPEN proxies --
that includes all protocol errors, unexpected results etc.
cache[=value] to set the cache lifetime in minutes. By default,
caching is enabled for 30 minutes. A value of 0 disables
caching. careful to make sure socks v5 is properly configured
with IP rulesets. Without this parameter, module will not send
additional query and assume first positive answer as valid.
v4only to check only socks v4. v5only to check only socks v5.
webproxy
This module performs a basic check to verify that the host where
the connection originated from doesn't run a HTTP proxy server
that is open to the world (CONNECT method). It is useful to
reject abusive clients using a relay to evade kill lines and
bans. N.B.: There's no clear standard for the port number the
HTTP proxy should sit on, and any proxy check takes the time, so
it's generally impossible to detect HTTP proxy at non-standard
port. It refers to SOCKS proxy, too.
This module understands four options: reject to reject connec-
tions originating from a host where an open proxy was detected,
log to log hostnames where an open proxy is detected.
cache[=value] to set the cache lifetime in minutes. By default,
caching is enabled for 30 minutes. A value of 0 disables
caching. ports[=3128[,8000[,...]]] to check the ports men-
tioned. The more ports, the longer check. The usual ports where
HTTP proxy listens are 3128, 8000, 8080.
dnsbl This module queries specified DNS-based block-lists to verify
that the host where the connection originated from doesn't run a
proxy server or something similar (trojan horses, WinGates etc).
perform authentication of client connections. It takes a single
(mandatory) option, which is the IP-address of the LHEx server
to use.
EXAMPLE
The following file will cause the IRC daemon to reject all connections
originating from a system where an open proxy is running for hosts
within *.fr and *.enserb.u-bordeaux.fr but not for other hosts matching
*.u-bordeaux.fr. For all connections, an ident lookup (RFC 1413) will
be performed. In addition, every connection is authenticated with the
LHEx server at IP-address 127.0.0.1.
module socks
option = reject,paranoid
host = *.enserb.u-bordeaux.fr
host = !*.u-bordeaux.fr
host = *.fr
ip = 65.0.0.0/8
ip = !194.195.196.197/32
module rfc931
module lhex
option = 127.0.0.1
CAVEATS
When the option extinfo is set, connections registering as a server or
a service with the IRC server are not guaranteed to receive the "user"
authentication provided by modules (such as the rfc931 module).
COPYRIGHT
(c) 1998,1999 Christophe Kalt
For full COPYRIGHT see LICENSE file with IRC package.
FILES
"iauth.conf"
SEE ALSO
iauth(8)
AUTHOR
Christophe Kalt.
$Date: 2003/10/13 00:11:43 $ IAUTH.CONF(5)
Man(1) output converted with
man2html