To create new wiki account, please join us on #znc at Libera.Chat and ask admins to create a wiki account for you. You can say thanks to spambots for this inconvenience.

Identfile and ChangeLog/1.7.0: Difference between pages

From ZNC
(Difference between pages)
Jump to navigation Jump to search
Zarthus (talk | contribs)
m A lot of users were having trouble with configuring oidentd, the main cause of this problem seemed to be that they all had "znc" under "default". I've added a troubleshooting tip that mentions this may need changing.
 
 
Line 1: Line 1:
{{Core Module}}
{{ChangeLog}}
The identfile module places the ident of a user to a file when they are trying to connect. When the IRC server gets the connection request, it will query your system for the ident. An ident server such as oidentd or ident2 can read the ident file and send this ident back to the IRC server. Afterwards ZNC writes back the old contents of your ident file.
__TOC__
== Usage ==
{{Module arguments
| type = global}}


== Commands ==
<!-- last commit: aab76567662f770ed763c6ae25be1cbe8d9fd3cf -->
Output of '''/msg *identfile help''':
<pre>
+-----------+-----------+----------------------+
| Command  | Arguments | Description          |
+-----------+-----------+----------------------+
| GetFile  |          |                      |
| GetFormat |          |                      |
| Help      | search    | Generate this output |
| SetFile  | <file>    |                      |
| SetFormat | <format>  |                      |
| Show      |          |                      |
+-----------+-----------+----------------------+
</pre>
The format uses [[ExpandString]], so ''%ident%'' will be expanded to ident.  This is the value taken from the Ident field set for that ZNC user, or optionally, the network specific setting if there is one.


Another commonly used value is ''%user%'', which is the name of the ZNC user connecting to IRC.  As it may not be changed by normal ZNC users, it's often useful for BNC providers or anyone sharing the ZNC instance with others.
// TODO: cleanup this list, reorder, recategorize, fix grammar


== Using identfile with oidentd ==
== New ==
1. Your '''/etc/oidentd.conf''' must allow ident spoofing for the user ZNC runs as (the ''allow spoof'' privilege).  
* Add CMake build. Minimum supported CMake version is 3.1. For now ZNC can be built with either CMake or autoconf. In future autoconf is going to be removed.
** Currently <code>znc-buildmod</code> requires python if CMake was used; if that's a concern for you, please open a bug.
* Increase minimum GCC version from 4.7 to 4.8. Minimum Clang version stays at 3.2.
* Make ZNC UI translateable to different languages, add partial Russian translation. If you want to translate ZNC to your language, great! Please say.
* Configs written before ZNC 0.206 can't be read anymore {{GH|929}}
* Implement IRCv3.2 capability <code>echo-message</code> on the "client side" {{GH|950}}
* Implement IRCv3.2 capabilities <code>cap-notify</code>, <code>away-notify</code>, <code>account-notify</code>, <code>extended-join</code> {{GH|315}} {{GH|316}}
* Update capability names as they are named in IRCv3.2: <code>znc.in/server-time-iso</code>→<code>server-time</code>, <code>znc.in/batch</code>→<code>batch</code>. Old names will continue working for a while, then will be removed in some future version.
* Make ZNC request <code>server-time</code> from server when available {{GH|839}}
* Increase accepted line length from 1024 to 2048 to give some space to message tags
* Separate buffer size settings for channels and queries {{GH|967}}
* Support separate <code>SSLKeyFile</code> and <code>SSLDHParamFile</code> configuration in addition to existing <code>SSLCertFile</code> {{GH|1192}}
* Add "AuthOnlyViaModule" global/user setting {{GH|331}}
* Added [[pyeval]] module
* Added [[stripcontrols]] module {{GH|387}}
* Add new substitutions to [[ExpandString]]: <code>%empty%</code> and <code>%network%</code>. {{GH|1049}} {{GH|1139}}
* Stop defaulting real name to "Got ZNC?" {{GH|818}}
* Make the user aware that debug mode is enabled. {{GH|1446}}
* Added <code>ClearAllBuffers</code> command {{GH|852}}
* Don't require CSRF token for POSTs if the request uses HTTP Basic auth. {{GH|946}}
* Set <code>HttpOnly</code> and <code>SameSite=strict</code> for session cookies {{GH|1077}} {{GH|1450}}
* Add SNI SSL client support {{GH|1200}}
* Add support for CIDR notation in allowed hosts list and in trusted proxy list {{GH|207}} {{GH|1219}}
* Add network-specific config for cert validation in addition to user-supplied fingerprints: <code>TrustAllCerts</code>, defaults to false, and <code>TrustPKI</code>, defaults to true. {{GH|866}}
* Add <code>/attach</code> command for symmetry with <code>/detach</code>. Unlike <code>/join</code> it allows wildcards.
* [[Timestamps#Format|Timestamp format]] now supports sub-second precision with <code>%f</code>. Used in [[awaystore]], [[listsockets]], [[log]] modules and buffer playback when client doesn't support server-time {{GH|1455}}
* Build on macOS using ICU, Python, and OpenSSL from Homebrew, if available {{GH|894}}
* Remove <code>--with-openssl=/path</code> option from ./configure. SSL is still supported and is still configurable


Example file (replace "znc" with the user that ZNC will run on):
== Fixes ==
<pre>
* Revert tables to how they were in ZNC 1.4 {{GH|914}}
user "znc" {
* Remove flawed Add/Del/ListBindHost(s). They didn't correctly do what they were intended for, but users often confused them with the SetBindHost option. SetBindHost still works. {{GH|983}}
    default {
* Fix disconnection issues when being behind NAT by decreasing the interval how often PING is sent and making it configurable via a setting to change ping timeout time {{GH|979}}
        allow spoof
* Change default flood rates to match RFC1459, prevent excess flood problems {{GH|1416}} {{GH|1418}}
        allow spoof_all
* Match channel names and hostmasks case-insensitively in [[autoattach]], [[autocycle]], [[autoop]], [[autovoice]], [[log]], [[watch]] modules {{GH|822}}
        allow spoof_privport
* Fix crash in [[shell]] module which happens if client disconnects at a wrong time {{GH|1248}}
        allow random
* Decrease CPU usage when joining channels during startup or reconnect, add config write delay setting {{GH|1250}}
        allow random_numeric
* modperl: Fix reloading of module which couldn't be loaded before
        allow numeric
* modperl: Explain modperl that ZNC uses UTF-8 internally
        allow hide
* Always send the users name in NOTICE when logging in. {{GH|1282}}
    }
* Don't try to quit multiple times {{GH|1392}}
}
* Don't send PART to client which sent QUIT
</pre>
* Send failed logins to NOTICE instead of PRIVMSG {{GH|1472}}
* Stop creating files with odd permissions on Solaris {{GH|1492}}
* Save channel key on JOIN even if user was not on the channel yet {{GH|1223}}
* Stop buffering and echoing CTCP requests and responses to other clients with self-message, except for /me {{GH|1488}}
* Support discovery of tcl 8.6 during <code>./configure</code>


2. Create an empty .oidentd.conf in the homedir of the user you are running ZNC as (create this file while logged in as the user you run ZNC as):
== Modules ==
touch ~/.oidentd.conf
* adminlog: make path configurable {{GH|1001}}
chmod 644 ~/.oidentd.conf
* alias: add DUMP command to copy your config between users {{GH|1114}}
* awaystore: add -chans option which records channel highlights {{GH|851}}
* blockmotd: add GetMotd command {{GH|783}} {{GH|1361}}
* clearbufferonmsg: add options which events trigger clearation of buffers. {{GH|825}}
* controlpanel: add the <code>DelServer</code> command. {{GH|810}}
* controlpanel: add $user and $network aliases {{GH|847}}
* controlpanel: Allow reseting channel specific AutoClearChanBuffer and BufferSize settings by setting them to "-" {{GH|990}}
* controlpanel: Change "double" to "number" {{GH|1468}}
* crypt: cover notices, actions and topics {{GH|813}}
* crypt: Don't use the same or overlapping NickPrefix as StatusPrefix {{GH|1377}}
* crypt: Add DH1080 key exchange {{GH|1378}}
* crypt: Add Get/SetNickPrefix commands, Hide the internal keyword from ListKeys {{GH|1382}}
* crypt: fix build with LibreSSL {{GH|1439}}
* cyrusauth: improve UI
* fail2ban: make timeout and attempts configurable, add BAN, UNBAN and LIST commands {{GH|534}}
* flooddetach: detach on nick floods {{GH|941}}
* keepnick: improve behaviour by listening to ircd-side numeric errors {{GH|945}}
* log: Add -timestamp option {{GH|978}}
* log: Add options to hide joins, quits and nick changes. {{GH|601}}
* log: stop forcing username and network name to be lower case in filenames {{GH|1171}}
* log: Log user quit messages {{GH|1395}}
* missingmotd: Include nick in IRC numeric command, reduce client confusion {{GH|1399}}
* modperl: provide operator "" for ZNC::String
* modperl: Honor PERL5LIB env var
* modperl: fix functions like HasPerm() which accept char {{GH|1486}}
* modpython: Disable legacy encoding mode when modpython is loaded. {{GH|1229}}
* modpython: Add CQuery(s) and CServer(s) {{GH|1436}}
* modperl, modpython: support ValidateWebRequestCSRFCheck {{GH|1424}}
* nickserv: use <code>/nickserv identify</code> by default instead of <code>/msg nickserv</code>. {{GH|786}}
* nickserv: support messages from X3 services {{GH|1322}}
* notify_connect: Show client identification {{GH|1195}}
* sasl: add web interface {{GH|910}}
* sasl: enable all known mechanisms by default {{GH|938}}
* sasl: Make the first requirement for SET actually mandatory, return information about settings if no input for SET {{GH|1338}}
* schat: Require explicit path to certificate.
* simple_away: use ExpandString for away reason, rename old %s to %awaytime% {{GH|1149}}
* simple_away: Add MinClients option {{GH|1133}}
* stickychan: save registry on every stick/unstick action, auto-save if channel key changes {{GH|881}}
* stickychan: stop checking so often, increase delay to once every 3 minutes {{GH|1333}}
* webadmin: allow reseting chan buffer size by entering an empty value
* webadmin: make tables sortable. {{GH|40}}
* webadmin: Make server editor and CTCP replies editor more fancy, when JS is enabled {{GH|145}}
* webadmin: show per-network traffic info {{GH|963}}
* webadmin: make the traffic info page visible for non-admins, non-admins can see only their traffic {{GH|1020}}


3. Oidentd must be able to read your ~/.oidentd.conf. Therefore ZNC's homedir should at least have 711 (world executable, rwx--x--x) permissions. This step may not be necessary
== Internal ==
chmod 711 ~
* Stop pretending that ZNC ABI is stable, when it's not. Make module version checks more strict and prevent crashes when loading a module which are built for the wrong ZNC version. {{GH|1353}}
* Various HTML changes {{GH|1308}}
* Introduce a CMessage class and its subclasses {{GH|506}}
* Add module callbacks which accept CMessage, deprecate old callbacks
* Modernize code to use more C++11 features
* Various code cleanups
* Fix CSS of <code>_default_</code> skin for Fingerprints section
* Add <code>OnUserQuitMessage()</code> module hook.
* Add <code>OnPrivBufferStarting()</code> and <code>OnPrivBufferEnding()</code> hooks {{GH|1294}}
* <code>CString::WildCmp()</code>: add an optional case-sensitivity argument
* Do not call <code>OnAddUser()</code> hook during ZNC startup {{GH|929}}
* Allow modules to override CSRF protection. {{GH|1180}}
* Rehash now reloads only global settings {{GH|929}}
* Remove <code>CAP CLEAR</code>
* <code>CChan::GetNetwork()</code>
* <code>CUser</code>: add API for removing and clearing allowed hosts
* <code>CZNC</code>: add missing SSL-related getters and setters
* Add a possibility (not an "option") to disable launch after --makeconf {{GH|257}}
* Add an integration test {{GH|772}}
* Move Unix signal processing to a dedicated thread.
* Add clang-format configuration, switch tabs to spaces.
* <code>CString::StripControls()</code>: Strip background colors when we reset foreground {{GH|1261}}
* Make chan modes and permissions to be char instead of unsigned char. {{GH|1486}}


4. Next load and configure the identfile module. This can be done with the following commands.
== Cosmetic ==
<pre>
* Alphabetically sort the modules we compile using autoconf/Makefile {{GH|1358}}
/msg *status loadmod identfile
* Alphabetically sort output of <code>znc --help</code> {{GH|1367}}
/msg *identfile setfile ~/.oidentd.conf
* Change output during startup to be more compact {{GH|1124}}
/msg *identfile setformat global { reply "%ident%" }
* Show new server name when reconnecting to a different server with <code>/znc jump</code> {{GH|1147}}
</pre>
* Hide passwords in listservers output {{GH|1320}}
 
* Filter out ZNC passwords in output of <code>znc -D</code> {{GH|1445}}
''Check [[ExpandString]] for possible variables''
* Switch znc.in URLs to https
 
Note: If you use ipv6 with oidentd and it is ''not working for an unknown reason'', try running it like this: <code>oidentd -a ::</code> - it should force ipv6.
 
== Using identfile with ident2 ==
 
1. Install ident2. By default when you install ident2 on debian it will automatically be configured and started via xinetd. If you are starting ident2 manually you will need to start it with the "-n" argument. This allows using an ident file in a user's homedir over there username for ident, and is required for use with the identfile module.
 
2. Next load and configure the identfile module. This can be done with the following commands.
<pre>
/msg *status loadmod identfile
/msg *identfile setfile ~/.ident
/msg *identfile setformat ident %ident%
</pre>
=== File Permissions ===
 
ident2 must be able to read your "~/.ident file". Therefore ZNC's homedir should at least have 711 (world executable, rwx--x--x) permissions. Commonly most homedir's are created as executable by other users but if this is not the case then you can use the following commands to change the permissions.
<pre>
chmod 711 ~
touch ~/.ident
chmod 644 ~/.ident
</pre>
== Chrooted installs with identfile ==
 
If you have [[chroot|chrooted your ZNC installation]] you can still use identfile. Simply create a symbolic link to the ident file inside the chroot:
ln -s /home/bouncer/ident /var/chroot/home/bouncer/ident
 
You will need to change the "ident" part of each file to the actual file that your ident system uses, for oidentd it would become the following:
ln -s /home/bouncer/.oidentd.conf /var/chroot/home/bouncer/.oidentd.conf
 
All changes made by ZNC to the chromed ident file will now be visible for your ident server. An other way is, to chroot the ident server too which is more secure, but isn't easy for novice users.
 
== Alternative ==
[[Using ident spoofs with identserver and iptables]]
 
== Troubleshooting tips ==
 
1. You will most likely have to chmod /home and /home/user with 644 permissions manually in order for the config to be read.
 
2. You will have to reconnect or restart ZNC after completing this, mileage may vary.
 
3. If there are any firewalls between ZNC and the IRC server, port 113 TCP needs to be permitted.
 
4. With oidentd, if there are any other users, or a "default" block. You may need to place the "znc" user at the top of the file.

Revision as of 22:55, 11 March 2018

← 1.6.6 ZNC 1.7.0 1.7.1 →


// TODO: cleanup this list, reorder, recategorize, fix grammar

New

  • Add CMake build. Minimum supported CMake version is 3.1. For now ZNC can be built with either CMake or autoconf. In future autoconf is going to be removed.
    • Currently znc-buildmod requires python if CMake was used; if that's a concern for you, please open a bug.
  • Increase minimum GCC version from 4.7 to 4.8. Minimum Clang version stays at 3.2.
  • Make ZNC UI translateable to different languages, add partial Russian translation. If you want to translate ZNC to your language, great! Please say.
  • Configs written before ZNC 0.206 can't be read anymore (#929)
  • Implement IRCv3.2 capability echo-message on the "client side" (#950)
  • Implement IRCv3.2 capabilities cap-notify, away-notify, account-notify, extended-join (#315) (#316)
  • Update capability names as they are named in IRCv3.2: znc.in/server-time-isoserver-time, znc.in/batchbatch. Old names will continue working for a while, then will be removed in some future version.
  • Make ZNC request server-time from server when available (#839)
  • Increase accepted line length from 1024 to 2048 to give some space to message tags
  • Separate buffer size settings for channels and queries (#967)
  • Support separate SSLKeyFile and SSLDHParamFile configuration in addition to existing SSLCertFile (#1192)
  • Add "AuthOnlyViaModule" global/user setting (#331)
  • Added pyeval module
  • Added stripcontrols module (#387)
  • Add new substitutions to ExpandString: %empty% and %network%. (#1049) (#1139)
  • Stop defaulting real name to "Got ZNC?" (#818)
  • Make the user aware that debug mode is enabled. (#1446)
  • Added ClearAllBuffers command (#852)
  • Don't require CSRF token for POSTs if the request uses HTTP Basic auth. (#946)
  • Set HttpOnly and SameSite=strict for session cookies (#1077) (#1450)
  • Add SNI SSL client support (#1200)
  • Add support for CIDR notation in allowed hosts list and in trusted proxy list (#207) (#1219)
  • Add network-specific config for cert validation in addition to user-supplied fingerprints: TrustAllCerts, defaults to false, and TrustPKI, defaults to true. (#866)
  • Add /attach command for symmetry with /detach. Unlike /join it allows wildcards.
  • Timestamp format now supports sub-second precision with %f. Used in awaystore, listsockets, log modules and buffer playback when client doesn't support server-time (#1455)
  • Build on macOS using ICU, Python, and OpenSSL from Homebrew, if available (#894)
  • Remove --with-openssl=/path option from ./configure. SSL is still supported and is still configurable

Fixes

  • Revert tables to how they were in ZNC 1.4 (#914)
  • Remove flawed Add/Del/ListBindHost(s). They didn't correctly do what they were intended for, but users often confused them with the SetBindHost option. SetBindHost still works. (#983)
  • Fix disconnection issues when being behind NAT by decreasing the interval how often PING is sent and making it configurable via a setting to change ping timeout time (#979)
  • Change default flood rates to match RFC1459, prevent excess flood problems (#1416) (#1418)
  • Match channel names and hostmasks case-insensitively in autoattach, autocycle, autoop, autovoice, log, watch modules (#822)
  • Fix crash in shell module which happens if client disconnects at a wrong time (#1248)
  • Decrease CPU usage when joining channels during startup or reconnect, add config write delay setting (#1250)
  • modperl: Fix reloading of module which couldn't be loaded before
  • modperl: Explain modperl that ZNC uses UTF-8 internally
  • Always send the users name in NOTICE when logging in. (#1282)
  • Don't try to quit multiple times (#1392)
  • Don't send PART to client which sent QUIT
  • Send failed logins to NOTICE instead of PRIVMSG (#1472)
  • Stop creating files with odd permissions on Solaris (#1492)
  • Save channel key on JOIN even if user was not on the channel yet (#1223)
  • Stop buffering and echoing CTCP requests and responses to other clients with self-message, except for /me (#1488)
  • Support discovery of tcl 8.6 during ./configure

Modules

  • adminlog: make path configurable (#1001)
  • alias: add DUMP command to copy your config between users (#1114)
  • awaystore: add -chans option which records channel highlights (#851)
  • blockmotd: add GetMotd command (#783) (#1361)
  • clearbufferonmsg: add options which events trigger clearation of buffers. (#825)
  • controlpanel: add the DelServer command. (#810)
  • controlpanel: add $user and $network aliases (#847)
  • controlpanel: Allow reseting channel specific AutoClearChanBuffer and BufferSize settings by setting them to "-" (#990)
  • controlpanel: Change "double" to "number" (#1468)
  • crypt: cover notices, actions and topics (#813)
  • crypt: Don't use the same or overlapping NickPrefix as StatusPrefix (#1377)
  • crypt: Add DH1080 key exchange (#1378)
  • crypt: Add Get/SetNickPrefix commands, Hide the internal keyword from ListKeys (#1382)
  • crypt: fix build with LibreSSL (#1439)
  • cyrusauth: improve UI
  • fail2ban: make timeout and attempts configurable, add BAN, UNBAN and LIST commands (#534)
  • flooddetach: detach on nick floods (#941)
  • keepnick: improve behaviour by listening to ircd-side numeric errors (#945)
  • log: Add -timestamp option (#978)
  • log: Add options to hide joins, quits and nick changes. (#601)
  • log: stop forcing username and network name to be lower case in filenames (#1171)
  • log: Log user quit messages (#1395)
  • missingmotd: Include nick in IRC numeric command, reduce client confusion (#1399)
  • modperl: provide operator "" for ZNC::String
  • modperl: Honor PERL5LIB env var
  • modperl: fix functions like HasPerm() which accept char (#1486)
  • modpython: Disable legacy encoding mode when modpython is loaded. (#1229)
  • modpython: Add CQuery(s) and CServer(s) (#1436)
  • modperl, modpython: support ValidateWebRequestCSRFCheck (#1424)
  • nickserv: use /nickserv identify by default instead of /msg nickserv. (#786)
  • nickserv: support messages from X3 services (#1322)
  • notify_connect: Show client identification (#1195)
  • sasl: add web interface (#910)
  • sasl: enable all known mechanisms by default (#938)
  • sasl: Make the first requirement for SET actually mandatory, return information about settings if no input for SET (#1338)
  • schat: Require explicit path to certificate.
  • simple_away: use ExpandString for away reason, rename old %s to %awaytime% (#1149)
  • simple_away: Add MinClients option (#1133)
  • stickychan: save registry on every stick/unstick action, auto-save if channel key changes (#881)
  • stickychan: stop checking so often, increase delay to once every 3 minutes (#1333)
  • webadmin: allow reseting chan buffer size by entering an empty value
  • webadmin: make tables sortable. (#40)
  • webadmin: Make server editor and CTCP replies editor more fancy, when JS is enabled (#145)
  • webadmin: show per-network traffic info (#963)
  • webadmin: make the traffic info page visible for non-admins, non-admins can see only their traffic (#1020)

Internal

  • Stop pretending that ZNC ABI is stable, when it's not. Make module version checks more strict and prevent crashes when loading a module which are built for the wrong ZNC version. (#1353)
  • Various HTML changes (#1308)
  • Introduce a CMessage class and its subclasses (#506)
  • Add module callbacks which accept CMessage, deprecate old callbacks
  • Modernize code to use more C++11 features
  • Various code cleanups
  • Fix CSS of _default_ skin for Fingerprints section
  • Add OnUserQuitMessage() module hook.
  • Add OnPrivBufferStarting() and OnPrivBufferEnding() hooks (#1294)
  • CString::WildCmp(): add an optional case-sensitivity argument
  • Do not call OnAddUser() hook during ZNC startup (#929)
  • Allow modules to override CSRF protection. (#1180)
  • Rehash now reloads only global settings (#929)
  • Remove CAP CLEAR
  • CChan::GetNetwork()
  • CUser: add API for removing and clearing allowed hosts
  • CZNC: add missing SSL-related getters and setters
  • Add a possibility (not an "option") to disable launch after --makeconf (#257)
  • Add an integration test (#772)
  • Move Unix signal processing to a dedicated thread.
  • Add clang-format configuration, switch tabs to spaces.
  • CString::StripControls(): Strip background colors when we reset foreground (#1261)
  • Make chan modes and permissions to be char instead of unsigned char. (#1486)

Cosmetic

  • Alphabetically sort the modules we compile using autoconf/Makefile (#1358)
  • Alphabetically sort output of znc --help (#1367)
  • Change output during startup to be more compact (#1124)
  • Show new server name when reconnecting to a different server with /znc jump (#1147)
  • Hide passwords in listservers output (#1320)
  • Filter out ZNC passwords in output of znc -D (#1445)
  • Switch znc.in URLs to https