To create new wiki account, please join us on #znc at Libera.Chat and ask admins to create a wiki account for you. You can say thanks to spambots for this inconvenience.

Identfile: Difference between revisions

From ZNC
Jump to navigation Jump to search
>Mkaysi
m Using identfile with oidentd: "random" was missing from example global config.
add warning
 
(19 intermediate revisions by 11 users not shown)
Line 1: Line 1:
{{Core Module}}
{{Core Module}}
{{ambox | type=content | text = Warning: if ZNC instance has many users, this module will make the reconnection to IRC servers very slow. That includes the startup time, which can take hours. }}
The identfile module places the ident of a user to a file when they are trying to connect. When the IRC server gets the connection request, it will query your system for the ident. An ident server such as oidentd or ident2 can read the ident file and send this ident back to the IRC server. Afterwards ZNC writes back the old contents of your ident file.
The identfile module places the ident of a user to a file when they are trying to connect. When the IRC server gets the connection request, it will query your system for the ident. An ident server such as oidentd or ident2 can read the ident file and send this ident back to the IRC server. Afterwards ZNC writes back the old contents of your ident file.
__TOC__
__TOC__
== Usage ==
== Usage ==
{{Module arguments}}
{{Module arguments
| type = global}}


== Commands ==
== Commands ==
Output of '''/msg *identfile help''':
Output of '''/msg *identfile help''':
<pre>
<pre>
+-----------+-----------+----------------------+
+-----------+-----------+----------------------+
| Command  | Arguments | Description          |
| Command  | Arguments | Description          |
+-----------+-----------+----------------------+
+-----------+-----------+----------------------+
| GetFile  |          |                      |
| GetFile  |          |                      |
| GetFormat |          |                      |
| GetFormat |          |                      |
| Help      |           | Generate this output |
| Help      | search    | Generate this output |
| SetFile  | <file>    |                      |
| SetFile  | <file>    |                      |
| SetFormat | <format>  |                      |
| SetFormat | <format>  |                      |
+-----------+-----------+----------------------+
| Show      |          |                      |
+-----------+-----------+----------------------+
</pre>
</pre>
The format uses [[ExpandString]], so %ident% will be expanded to ident.  
The format uses [[ExpandString]], so ''%ident%'' will be expanded to ident. This is the value taken from the Ident field set for that ZNC user, or optionally, the network specific setting if there is one.
 
Another commonly used value is ''%user%'', which is the name of the ZNC user connecting to IRC.  As it may not be changed by normal ZNC users, it's often useful for BNC providers or anyone sharing the ZNC instance with others.
 
== Using identfile with oidentd ==
== Using identfile with oidentd ==
1. Your '''/etc/oidentd.conf''' must allow ident spoofing for the user ZNC runs as (the ''allow spoof'' privilege).  
1. Your <code>/etc/oidentd.conf</code> file must allow the user ZNC runs as to spoof ident replies (the ''spoof'' capability). If your system has a user with the same name as one of the ZNC users, the ''spoof_all'' capability is also required.


Example file:  
Example file (replace "znc" with the user that ZNC will run on):  
<pre>
<pre>
default {
user "znc" {
     default {
     default {
         allow spoof
         allow spoof
         allow spoof_all
         allow spoof_all
        allow spoof_privport
        allow random
        allow random_numeric
        allow numeric
        allow hide
     }
     }
}
}
</pre>
</pre>
2. Create an empty .oidentd.conf in the homedir of the user you are running ZNC as (this step may be unnecessary)
 
2. Create an empty <code>.oidentd.conf</code> file in the home directory of the user you are running ZNC as. Create this file while logged in as the ZNC user:
  touch ~/.oidentd.conf
  touch ~/.oidentd.conf
  chmod 644 ~/.oidentd.conf
  chmod 644 ~/.oidentd.conf


3. Oidentd must be able to read your ~/.oidentd.conf. Therefore ZNC's homedir should at least have 711 (world executable, rwx--x--x) permissions.  
3. oidentd must be able to read your <code>~/.oidentd.conf</code> file. Therefore, the ZNC user's home directory permissions should be at least <code>711</code> (world executable, <code>rwx--x--x</code>).
  chmod 711 ~
  chmod 711 ~


4. Next load and configure the identfile module. This can be done with the following commands.
4. Finally, load and configure the ''identfile'' module. This can be done using the following commands:
<pre>
<pre>
/msg *status loadmod identfile
/msg *status loadmod identfile
/msg *identfile setfile ~/.oidentd.conf
/msg *identfile setfile ~/.oidentd.conf
/msg *identfile setformat global { reply "%ident%" }
/msg *identfile setformat global { reply "%user%" }
</pre>
</pre>


''Check [[ExpandString]] for possible variables''
''Check [[ExpandString]] for possible variables''


Note: If you use ipv6 with oidentd and it is ''not working for an unknown reason'', try running it like this: <code>oidentd -a ::</code> - it should force ipv6.
Note: oidentd 2.1.0 and earlier did not bind to IPv6 by default. When using one of these versions, oidentd needs to be run as <code>oidentd -a ::</code> if IPv6 support is desired.  Additional note: This particular requirement appears to have the opposite effect on some BSD systems, where calling <code>oidentd -a ::</code> resulted in IPv4 ident responses no longer working.  Test your environment before deploying.


== Using identfile with ident2 ==
== Using identfile with ident2 ==
Warning: Ident2 does not support IPv6


1. Install ident2. By default when you install ident2 on debian it will automatically be configured and started via xinetd. If you are starting ident2 manually you will need to start it with the "-n" argument. This allows using an ident file in a user's homedir over there username for ident, and is required for use with the identfile module.  
1. Install ident2. By default when you install ident2 on debian it will automatically be configured and started via xinetd. If you are starting ident2 manually you will need to start it with the "-n" argument. This allows using an ident file in a user's homedir over their username for ident, and is required for use with the identfile module.


2. Next load and configure the identfile module. This can be done with the following commands.  
2. Next load and configure the identfile module. This can be done with the following commands.  
Line 62: Line 65:
/msg *status loadmod identfile
/msg *status loadmod identfile
/msg *identfile setfile ~/.ident
/msg *identfile setfile ~/.ident
/msg *identfile setformat ident %ident%
/msg *identfile setformat ident %user%
</pre>
</pre>
=== File Permissions ===
=== File Permissions ===
Line 72: Line 75:
chmod 644 ~/.ident
chmod 644 ~/.ident
</pre>
</pre>
== Chrooted installs with identfile ==
== Chrooted installs with identfile ==


Line 84: Line 88:
== Alternative ==
== Alternative ==
[[Using ident spoofs with identserver and iptables]]
[[Using ident spoofs with identserver and iptables]]
== Troubleshooting tips ==
1. You will most likely have to chmod /home and /home/user with 644 permissions manually in order for the configuration file to be read.
2. You may have to reconnect or restart ZNC after completing this.
3. If there are any firewalls between ZNC and the IRC server, TCP port 113 needs to be permitted.
4. If the oidentd configuration file contains a ''default'' block, the ''znc'' user directive should be placed below it (not inside ''default'').
5. Don't forget to restart or reload your identd after configuration changes.

Latest revision as of 02:37, 5 January 2024

The identfile module places the ident of a user to a file when they are trying to connect. When the IRC server gets the connection request, it will query your system for the ident. An ident server such as oidentd or ident2 can read the ident file and send this ident back to the IRC server. Afterwards ZNC writes back the old contents of your ident file.

Usage

Arguments

This global module takes no arguments.

Read loading modules to learn more about loading modules.

Commands

Output of /msg *identfile help:

 +-----------+-----------+----------------------+
 | Command   | Arguments | Description          |
 +-----------+-----------+----------------------+
 | GetFile   |           |                      |
 | GetFormat |           |                      |
 | Help      | search    | Generate this output |
 | SetFile   | <file>    |                      |
 | SetFormat | <format>  |                      |
 | Show      |           |                      |
 +-----------+-----------+----------------------+

The format uses ExpandString, so %ident% will be expanded to ident. This is the value taken from the Ident field set for that ZNC user, or optionally, the network specific setting if there is one.

Another commonly used value is %user%, which is the name of the ZNC user connecting to IRC. As it may not be changed by normal ZNC users, it's often useful for BNC providers or anyone sharing the ZNC instance with others.

Using identfile with oidentd

1. Your /etc/oidentd.conf file must allow the user ZNC runs as to spoof ident replies (the spoof capability). If your system has a user with the same name as one of the ZNC users, the spoof_all capability is also required.

Example file (replace "znc" with the user that ZNC will run on):

user "znc" {
    default {
        allow spoof
        allow spoof_all
    }
}

2. Create an empty .oidentd.conf file in the home directory of the user you are running ZNC as. Create this file while logged in as the ZNC user:

touch ~/.oidentd.conf
chmod 644 ~/.oidentd.conf

3. oidentd must be able to read your ~/.oidentd.conf file. Therefore, the ZNC user's home directory permissions should be at least 711 (world executable, rwx--x--x).

chmod 711 ~

4. Finally, load and configure the identfile module. This can be done using the following commands:

/msg *status loadmod identfile
/msg *identfile setfile ~/.oidentd.conf
/msg *identfile setformat global { reply "%user%" }

Check ExpandString for possible variables

Note: oidentd 2.1.0 and earlier did not bind to IPv6 by default. When using one of these versions, oidentd needs to be run as oidentd -a :: if IPv6 support is desired. Additional note: This particular requirement appears to have the opposite effect on some BSD systems, where calling oidentd -a :: resulted in IPv4 ident responses no longer working. Test your environment before deploying.

Using identfile with ident2

Warning: Ident2 does not support IPv6

1. Install ident2. By default when you install ident2 on debian it will automatically be configured and started via xinetd. If you are starting ident2 manually you will need to start it with the "-n" argument. This allows using an ident file in a user's homedir over their username for ident, and is required for use with the identfile module.

2. Next load and configure the identfile module. This can be done with the following commands.

/msg *status loadmod identfile
/msg *identfile setfile ~/.ident
/msg *identfile setformat ident %user%

File Permissions

ident2 must be able to read your "~/.ident file". Therefore ZNC's homedir should at least have 711 (world executable, rwx--x--x) permissions. Commonly most homedir's are created as executable by other users but if this is not the case then you can use the following commands to change the permissions.

chmod 711 ~
touch ~/.ident
chmod 644 ~/.ident

Chrooted installs with identfile

If you have chrooted your ZNC installation you can still use identfile. Simply create a symbolic link to the ident file inside the chroot:

ln -s /home/bouncer/ident /var/chroot/home/bouncer/ident

You will need to change the "ident" part of each file to the actual file that your ident system uses, for oidentd it would become the following:

ln -s /home/bouncer/.oidentd.conf /var/chroot/home/bouncer/.oidentd.conf

All changes made by ZNC to the chromed ident file will now be visible for your ident server. An other way is, to chroot the ident server too which is more secure, but isn't easy for novice users.

Alternative

Using ident spoofs with identserver and iptables

Troubleshooting tips

1. You will most likely have to chmod /home and /home/user with 644 permissions manually in order for the configuration file to be read.

2. You may have to reconnect or restart ZNC after completing this.

3. If there are any firewalls between ZNC and the IRC server, TCP port 113 needs to be permitted.

4. If the oidentd configuration file contains a default block, the znc user directive should be placed below it (not inside default).

5. Don't forget to restart or reload your identd after configuration changes.