--- /dev/null
+$Id: iauth.txt,v 1.1 2001-05-01 11:38:34 isomer Exp $
+
+Patrick Alken <wnder@underworld.net>
+01/09/2000
+
+Ircd Authentication
+==== ==============
+
+1. Introduction
+
+ This document describes the protocol used for the IAuth server.
+IAuth performs authorization checks for all clients that connect
+to the ircd server.
+
+2. Protocol
+
+ Ircd and IAuth communicate through a TCP/IP connection. The
+Ircd server will always initiate the connection to the IAuth
+server.
+
+2.1 Server
+
+ When an Ircd server first connects to an IAuth server, it will
+send IAuth a string of the form:
+
+ Server <name>
+
+ <name> - Ircd server name
+
+ This is used for identification purposes in case more than one
+Ircd server is using an IAuth server.
+
+2.2 Class
+
+2.2.1 Class Add
+
+ When an Ircd server first connects to an IAuth server, it will
+send IAuth it's class list in the form:
+
+ Class Add <number> <maxlinks>
+
+ <number> - Class number
+ <maxlinks> - Maximum number of clients in this class
+
+ This is needed for the I-line check, in case the number of
+clients allowed to use a certain I-line is limited.
+
+2.2.2 Class Clear
+
+ Upon a rehash, the Ircd server will send I-line a string of the
+form:
+
+ Class Clear [number]
+
+ [number] - optional number
+
+ In case the Ircd server's Y: lines were changed prior to the
+rehash, IAuth will clear it's old class list to make room for
+the new one Ircd will send after the rehash (via Class Add).
+
+2.3 DoAuth
+
+ When a client connects to the Ircd server, Ircd will send
+a string of the form:
+
+ DoAuth <id> <nickname> <username> <hostname> <IP> [password]
+
+ <id> - A unique ID used to identify each client
+ <nickname> - Client's nickname
+ <username> - Client's username
+ <hostname> - Client's hostname
+ <IP> - Client's IP Address in unsigned int format
+ [password] - *Optional* Client password
+
+ The DoAuth directive will initiate an authorization check on
+the client. The following checks are performed.
+
+2.3.1 I-line Check
+
+ This check will ensure that the client matches a valid I-line
+(as given in iauth.conf). If the client fails this check, he/she
+will not be allowed to remain connected to the Ircd server.
+The actual reason they failed authorization will be told to them.
+(See the BadAuth directive).
+ See the section on iauth.conf for more information on I-lines.
+
+2.3.2 Server Ban Check
+
+ K-lines are server-wide bans for individual (or groups of) clients.
+If a client matches a K-line, they will be disconnected from the
+Ircd server with the reason they are banned. The only exception to
+this is if they have an exemption flag in their I-line. See the
+iauth.conf section for more details on this.
+
+2.3.3 Quarantine Check
+
+ Q-lines specify nicknames which are not allowed to be used on
+the Ircd server. If a client's nickname matches that of a Q-lined
+nickname, they will be informed they have selected a quarantined
+nickname and be disconnected from the server.
+
+2.4 DoneAuth
+
+ If a client passes all of the above checks, they will pass
+authorization and be allowed to continue their connection to
+the Ircd server. IAuth will send a string back to the Ircd
+server of the form:
+
+ DoneAuth <id> <username> <hostname> <class>
+
+ <id> - Client's unique ID
+ <username> - Client's username
+ <hostname> - Client's hostname (may be different from original
+ if they are allowed a spoof)
+ <class> - Client's I-line class
+
+ This will inform the Ircd server that the specified client is
+authorized to connect.
+
+2.5 BadAuth
+
+ If a client fails any of the above checks, IAuth will send a
+string to the Ircd server of the form:
+
+ BadAuth <id> :<reason>
+
+ <id> - Client's unique ID
+ <reason> - Reason client failed authorization
+
+ The Ircd server will then send an error back to the client
+containing <reason> and disconnect them.
+
+3. Configuration file (iauth.conf)
+
+ IAuth reads a configuration file upon startup. The name of the
+file is located in setup.h, under #define CONFFILE. The format
+of this file is identical to that of ircd.conf, except it supports
+less directives.
+
+3.1 I-lines (Server Access)
+
+ I-lines allow clients access to the Ircd server and are of the
+form:
+
+ I:<spoofhost>:[password]:[flags][user@]<host>::<class>
+
+ <spoofhost> - Hostname to give client if SPOOF_FREEFORM
+ is defined.
+ [password] - *Optional* password that clients will
+ be required to supply to gain access.
+ [flags] - *Optional* flags (see below)
+ [user] - *Optional* username (if not given, defaults
+ to "*")
+ <host> - Client's hostname
+ <class> - I-line class (see section Class Add)
+
+ Possible values to go in the [flags] section are:
+
+ = - Spoof their IP Address (requires #define
+ SPOOF_FREEFORM)
+ ! - Limit 1 client per IP Address
+ - - Do not give them a tilde (~) character if they
+ are not running identd
+ + - Do not allow them to connect if they are not
+ running identd
+ ^ - Client is exempt from K/G lines
+ > - Client is also exempt from connection limits
+
+3.2 K-lines (Server Bans)
+
+ K-lines specify clients who are banned from the Ircd server and
+are of the form:
+
+ K:<username>@<hostname>:<reason>
+
+ <username> - Client's username
+ <hostname> - Client's hostname
+ <reason> - Reason client is banned
+
+3.3 Q-lines (Quarantined Nicknames)
+
+ Q-lines specify illegal nicknames. A client that attempts to use
+a quarantined nickname will be exited from the Ircd server. Q-lines
+are of the form:
+
+ Q:<nickname>:<reason>:[[username@]hostname]]
+
+ <nickname> - Quarantined nickname
+ <reason> - Reason nickname is quarantined
+ [username] - *Optional* exempted username
+ [hostname] - *Optional* exempted hostname
+
+ Examples:
+
+ Q:dcc*:Dcc bots not allowed
+ Q:GoodOper:GoodOper may use this nick:goodoper@oper.irc.server.com
+
+3.4 P-lines (Ports)
+
+ P-lines specify ports on which the IAuth server will listen for
+incoming Ircd server connections. They are of the form:
+
+ P:<portnum>
+
+ <portnum> - Port number
--- /dev/null
+/* - Internet Relay Chat, include/iauth.h
+ * Copyright (C) 2001 Perry Lorier <Isomer@coders.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 1, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ *
+ *
+ * $Id$
+ */
+#ifndef INCLUDED_iauth_h
+#define INCLUDED_iauth_h
+
+struct Iauth {
+ struct Iauth* next; /* list node pointer */
+ int fd; /* file descriptor */
+ char* service; /* service name */
+ int ref_count; /* number of connection references */
+ unsigned char active; /* current state of iauth */
+};
+
+extern struct Iauth* IauthPollList; /* GLOBAL - iauth list */
+
+
+#endif /* INCLUDED_iauth_h */
+
--- /dev/null
+/************************************************************************
+ * IRC - Internet Relay Chat, src/listener.c
+ * Copyright (C) 2001 Perry Lorier <isomer@coders.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 1, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ *
+ * $Id$
+ */
+#include "config.h"
+#include "iauth.h"
+#include <sys/types.h>
+#include <sys/socket.h>
+
+struct Iauth_Outstanding {
+ struct iauth_outstanding *next;
+ int client_id;
+}
+
+static struct Iauth_Outstanding *iauth_freelist=NULL;
+struct Iauth IauthPollList = NULL;
+
+void iauth_new(char *service)
+{
+ /* TODO: Check to see if the service is a hostname, and if so
+ * connect to it like hybrid does. Hybrid uses a blocking
+ * gethostbyname here (bletch!!). On the other hand a
+ * nonblocking solutions likely to be worse....
+ */
+ struct Iauth* tmp = (struct Iauth *)malloc(sizeof(struct Iauth));
+ int fd[2];
+ tmp->next = IauthPollList;
+ tmp->fd = 0;
+ tmp->service=strdup(service);
+ tmp->ref_count=0;
+ tmp->active=0;
+ if (socketpair(domain,type,protocol,fd)<0) {
+ free(tmp->service);
+ free(tmp);
+ return;
+ }
+ tmp->fd=fd[0];
+ if (0 == fork()) {
+ (void)close(pi[0]);
+ (void)dup2(pi[1],0);
+ (void)dup2(pi[1],1);
+ for (i = 2; i < MAXCONNECTIONS; i++)
+ (void)close(i);
+ if (pi[1] != 0 && pi[1] != 1)
+ (void)close(pi[1]);
+ (void)execlp(tmp->service, tmp->service, 0);
+ exit(-1);
+ } else {
+ /* TODO: Put the real servername in there */
+ (void)write(tmp->fd,"Server undernet.org 1.1");
+ }
+ IauthPollList=tmp;
+}