To create new wiki account, please join us on #znc at Libera.Chat and ask admins to create a wiki account for you. You can say thanks to spambots for this inconvenience.
Identfile: Difference between revisions
>Mkaysi m →Using identfile with oidentd: "random" was missing from example global config. |
DarthGandalf (talk | contribs) add warning |
||
(19 intermediate revisions by 11 users not shown) | |||
Line 1: | Line 1: | ||
{{Core Module}} | {{Core Module}} | ||
{{ambox | type=content | text = Warning: if ZNC instance has many users, this module will make the reconnection to IRC servers very slow. That includes the startup time, which can take hours. }} | |||
The identfile module places the ident of a user to a file when they are trying to connect. When the IRC server gets the connection request, it will query your system for the ident. An ident server such as oidentd or ident2 can read the ident file and send this ident back to the IRC server. Afterwards ZNC writes back the old contents of your ident file. | The identfile module places the ident of a user to a file when they are trying to connect. When the IRC server gets the connection request, it will query your system for the ident. An ident server such as oidentd or ident2 can read the ident file and send this ident back to the IRC server. Afterwards ZNC writes back the old contents of your ident file. | ||
__TOC__ | __TOC__ | ||
== Usage == | == Usage == | ||
{{Module arguments}} | {{Module arguments | ||
| type = global}} | |||
== Commands == | == Commands == | ||
Output of '''/msg *identfile help''': | Output of '''/msg *identfile help''': | ||
<pre> | <pre> | ||
+-----------+-----------+----------------------+ | +-----------+-----------+----------------------+ | ||
| Command | Arguments | Description | | | Command | Arguments | Description | | ||
+-----------+-----------+----------------------+ | +-----------+-----------+----------------------+ | ||
| GetFile | | | | | GetFile | | | | ||
| GetFormat | | | | | GetFormat | | | | ||
| Help | | | Help | search | Generate this output | | ||
| SetFile | <file> | | | | SetFile | <file> | | | ||
| SetFormat | <format> | | | | SetFormat | <format> | | | ||
+-----------+-----------+----------------------+ | | Show | | | | ||
+-----------+-----------+----------------------+ | |||
</pre> | </pre> | ||
The format uses [[ExpandString]], so %ident% will be expanded to ident. | The format uses [[ExpandString]], so ''%ident%'' will be expanded to ident. This is the value taken from the Ident field set for that ZNC user, or optionally, the network specific setting if there is one. | ||
Another commonly used value is ''%user%'', which is the name of the ZNC user connecting to IRC. As it may not be changed by normal ZNC users, it's often useful for BNC providers or anyone sharing the ZNC instance with others. | |||
== Using identfile with oidentd == | == Using identfile with oidentd == | ||
1. Your | 1. Your <code>/etc/oidentd.conf</code> file must allow the user ZNC runs as to spoof ident replies (the ''spoof'' capability). If your system has a user with the same name as one of the ZNC users, the ''spoof_all'' capability is also required. | ||
Example file: | Example file (replace "znc" with the user that ZNC will run on): | ||
<pre> | <pre> | ||
user "znc" { | |||
default { | default { | ||
allow spoof | allow spoof | ||
allow spoof_all | allow spoof_all | ||
} | } | ||
} | } | ||
</pre> | </pre> | ||
2. Create an empty .oidentd.conf in the | |||
2. Create an empty <code>.oidentd.conf</code> file in the home directory of the user you are running ZNC as. Create this file while logged in as the ZNC user: | |||
touch ~/.oidentd.conf | touch ~/.oidentd.conf | ||
chmod 644 ~/.oidentd.conf | chmod 644 ~/.oidentd.conf | ||
3. | 3. oidentd must be able to read your <code>~/.oidentd.conf</code> file. Therefore, the ZNC user's home directory permissions should be at least <code>711</code> (world executable, <code>rwx--x--x</code>). | ||
chmod 711 ~ | chmod 711 ~ | ||
4. | 4. Finally, load and configure the ''identfile'' module. This can be done using the following commands: | ||
<pre> | <pre> | ||
/msg *status loadmod identfile | /msg *status loadmod identfile | ||
/msg *identfile setfile ~/.oidentd.conf | /msg *identfile setfile ~/.oidentd.conf | ||
/msg *identfile setformat global { reply "% | /msg *identfile setformat global { reply "%user%" } | ||
</pre> | </pre> | ||
''Check [[ExpandString]] for possible variables'' | ''Check [[ExpandString]] for possible variables'' | ||
Note: | Note: oidentd 2.1.0 and earlier did not bind to IPv6 by default. When using one of these versions, oidentd needs to be run as <code>oidentd -a ::</code> if IPv6 support is desired. Additional note: This particular requirement appears to have the opposite effect on some BSD systems, where calling <code>oidentd -a ::</code> resulted in IPv4 ident responses no longer working. Test your environment before deploying. | ||
== Using identfile with ident2 == | == Using identfile with ident2 == | ||
Warning: Ident2 does not support IPv6 | |||
1. Install ident2. By default when you install ident2 on debian it will automatically be configured and started via xinetd. If you are starting ident2 manually you will need to start it with the "-n" argument. This allows using an ident file in a user's homedir over | 1. Install ident2. By default when you install ident2 on debian it will automatically be configured and started via xinetd. If you are starting ident2 manually you will need to start it with the "-n" argument. This allows using an ident file in a user's homedir over their username for ident, and is required for use with the identfile module. | ||
2. Next load and configure the identfile module. This can be done with the following commands. | 2. Next load and configure the identfile module. This can be done with the following commands. | ||
Line 62: | Line 65: | ||
/msg *status loadmod identfile | /msg *status loadmod identfile | ||
/msg *identfile setfile ~/.ident | /msg *identfile setfile ~/.ident | ||
/msg *identfile setformat ident % | /msg *identfile setformat ident %user% | ||
</pre> | </pre> | ||
=== File Permissions === | === File Permissions === | ||
Line 72: | Line 75: | ||
chmod 644 ~/.ident | chmod 644 ~/.ident | ||
</pre> | </pre> | ||
== Chrooted installs with identfile == | == Chrooted installs with identfile == | ||
Line 84: | Line 88: | ||
== Alternative == | == Alternative == | ||
[[Using ident spoofs with identserver and iptables]] | [[Using ident spoofs with identserver and iptables]] | ||
== Troubleshooting tips == | |||
1. You will most likely have to chmod /home and /home/user with 644 permissions manually in order for the configuration file to be read. | |||
2. You may have to reconnect or restart ZNC after completing this. | |||
3. If there are any firewalls between ZNC and the IRC server, TCP port 113 needs to be permitted. | |||
4. If the oidentd configuration file contains a ''default'' block, the ''znc'' user directive should be placed below it (not inside ''default''). | |||
5. Don't forget to restart or reload your identd after configuration changes. |
Latest revision as of 02:37, 5 January 2024
This module is a part of ZNC. This module is shipped with ZNC by default. If you have the right "LoadMod" you can activate it with /znc LoadMod identfile The code for this module can be found here. |
Warning: if ZNC instance has many users, this module will make the reconnection to IRC servers very slow. That includes the startup time, which can take hours. |
The identfile module places the ident of a user to a file when they are trying to connect. When the IRC server gets the connection request, it will query your system for the ident. An ident server such as oidentd or ident2 can read the ident file and send this ident back to the IRC server. Afterwards ZNC writes back the old contents of your ident file.
Usage
Arguments
This global module takes no arguments.
Read loading modules to learn more about loading modules.
Commands
Output of /msg *identfile help:
+-----------+-----------+----------------------+ | Command | Arguments | Description | +-----------+-----------+----------------------+ | GetFile | | | | GetFormat | | | | Help | search | Generate this output | | SetFile | <file> | | | SetFormat | <format> | | | Show | | | +-----------+-----------+----------------------+
The format uses ExpandString, so %ident% will be expanded to ident. This is the value taken from the Ident field set for that ZNC user, or optionally, the network specific setting if there is one.
Another commonly used value is %user%, which is the name of the ZNC user connecting to IRC. As it may not be changed by normal ZNC users, it's often useful for BNC providers or anyone sharing the ZNC instance with others.
Using identfile with oidentd
1. Your /etc/oidentd.conf
file must allow the user ZNC runs as to spoof ident replies (the spoof capability). If your system has a user with the same name as one of the ZNC users, the spoof_all capability is also required.
Example file (replace "znc" with the user that ZNC will run on):
user "znc" { default { allow spoof allow spoof_all } }
2. Create an empty .oidentd.conf
file in the home directory of the user you are running ZNC as. Create this file while logged in as the ZNC user:
touch ~/.oidentd.conf chmod 644 ~/.oidentd.conf
3. oidentd must be able to read your ~/.oidentd.conf
file. Therefore, the ZNC user's home directory permissions should be at least 711
(world executable, rwx--x--x
).
chmod 711 ~
4. Finally, load and configure the identfile module. This can be done using the following commands:
/msg *status loadmod identfile /msg *identfile setfile ~/.oidentd.conf /msg *identfile setformat global { reply "%user%" }
Check ExpandString for possible variables
Note: oidentd 2.1.0 and earlier did not bind to IPv6 by default. When using one of these versions, oidentd needs to be run as oidentd -a ::
if IPv6 support is desired. Additional note: This particular requirement appears to have the opposite effect on some BSD systems, where calling oidentd -a ::
resulted in IPv4 ident responses no longer working. Test your environment before deploying.
Using identfile with ident2
Warning: Ident2 does not support IPv6
1. Install ident2. By default when you install ident2 on debian it will automatically be configured and started via xinetd. If you are starting ident2 manually you will need to start it with the "-n" argument. This allows using an ident file in a user's homedir over their username for ident, and is required for use with the identfile module.
2. Next load and configure the identfile module. This can be done with the following commands.
/msg *status loadmod identfile /msg *identfile setfile ~/.ident /msg *identfile setformat ident %user%
File Permissions
ident2 must be able to read your "~/.ident file". Therefore ZNC's homedir should at least have 711 (world executable, rwx--x--x) permissions. Commonly most homedir's are created as executable by other users but if this is not the case then you can use the following commands to change the permissions.
chmod 711 ~ touch ~/.ident chmod 644 ~/.ident
Chrooted installs with identfile
If you have chrooted your ZNC installation you can still use identfile. Simply create a symbolic link to the ident file inside the chroot:
ln -s /home/bouncer/ident /var/chroot/home/bouncer/ident
You will need to change the "ident" part of each file to the actual file that your ident system uses, for oidentd it would become the following:
ln -s /home/bouncer/.oidentd.conf /var/chroot/home/bouncer/.oidentd.conf
All changes made by ZNC to the chromed ident file will now be visible for your ident server. An other way is, to chroot the ident server too which is more secure, but isn't easy for novice users.
Alternative
Using ident spoofs with identserver and iptables
Troubleshooting tips
1. You will most likely have to chmod /home and /home/user with 644 permissions manually in order for the configuration file to be read.
2. You may have to reconnect or restart ZNC after completing this.
3. If there are any firewalls between ZNC and the IRC server, TCP port 113 needs to be permitted.
4. If the oidentd configuration file contains a default block, the znc user directive should be placed below it (not inside default).
5. Don't forget to restart or reload your identd after configuration changes.