This patch introduces the possibility to arbitrarily select ciphers which
should be promoted resp. declined when establishing a SSL connection
with a client by implementing the new configuration option "CipherList".
By default, OpenSSL would accept low and medium strength and RC-4 ciphers,
which nowadays are known to be broken.
This patch only implements the feature for OpenSSL. A GnuTLS counterpart
has to be implemented in another patch ...
Original patch by Bastian <bastian-ngircd@t6l.de>.
Closes bug #162.
The new configuration option "DefaultUserModes" lists user modes that
become automatically set on new local clients right after login.
Please note that only modes can be set that the client could set on
itself, you can't set "a" (away) or "o" (IRC Op), for example! User
modes "i" (invisible) or "x" (cloaked) etc. are "interesting", though.
Default: set no modes (like without this patch).
Closes bug #160.
The new configuration variable "AllowedChannelTypes" lists all allowed
channel types (channel prefixes) for newly created channels on the local
server. By default, all supported channel types are allowed.
If set to the empty string, local clients can't create new channels at
all, which equals the old "PredefChannelsOnly = yes" setting.
This patch deprecates the "PredefChannelsOnly" variable, too, but it is
still supported and translated to the apropriate "AllowedChannelTypes"
setting. When "PredefChannelsOnly" is processed, a warning message is
logged.
Closes bug #152.
The option "IncludeDir" in the [Options] section can be used
to specify a directory which can contain further configuration
files and configuration file snippets matching the pattern
"*.conf" that should be read in after the main configuration
file ("ngircd.conf" by default) has been parsed.
Closes bug #157.
This patch implements a new configuration option "IdleTimeout" in the
[Limits] section of the configuration file which can be used to set a
timeout (in seconds) after which the whole daemon will shutdown when no
more connections are left active after handling at least one client.
The default is 0, "never".
This can be useful for testing or when ngIRCd is started using "socket
activation" with systemd(8), for example.
If disabled, IRC operators don't become channel operators in persistent
channels when joining. Enabled by default, which has been the behavior
of ngIRCd up to this patch.
Closes bug #135.
(Cosmetic fixes by Alex.)
The "ServiceMask" variable in "Server" blocks now can handle more than
one mask using the new MatchCaseInsensitiveList() function.
This makes marking "service clients" much more specific, which is a
good thing per se, but which is the prerequisite for reasonably
blocking these nick names, too (see commit a6dd2e3 for details).
Implemented support for hashed hostnames for CloakHost. The admin can
use '%x' in both the CloakHost and CloakHostModeX setting. The config
option CloakHostModeX was renamed to CloakHostSalt. This salt is used
for both cloaking options.
CloakHostModeX can now contain '%x'. It will be replace by the hash of
the original client hostname. The new config option CloakHostModeXSalt
defines the salt for the hash function. When CloakHostModeXSalt is not
set a random salt will be generated after each server restart.
Spelling fix in defines.h
When "PAMIsOptional" is set, clients not sending a password are still
allowed to connect: they won't become "identified" and keep the "~"
character prepended to their supplied user name.
this patch contains:
* Fix for Conf_CloakUserToNick to make it conceal user details
* Adds MorePrivacy-feature
MorePrivacy censors some user information from being reported by the
server. Signon time and idle time is censored. Part and quit messages
are made to look the same. WHOWAS requests are silently dropped. All
of this is useful if one wish to conceal users that access the ngircd
servers from TOR or I2P.
* NoticeAuth:
Add documentation for "NoticeAuth" configuration option
Configuration: move "NoticeAuth" to GLOBAL section
New configuration option "NoticeAuth": send NOTICE AUTH on connect
* CloakUserHost:
Add a note not to use a percent sign ("%") in CloakHost variable
Rename ClientHost to CloakHost, and ClientUserNick to CloakUserToNick
Don't use "the.net" in sample-ngircd.conf, use "example.net"
ngircd.conf.5: document "ClientHost" and "ClientUserNick"
Move "ClientHost" and "ClientUserNick" to end of [Global] section
ClientUserNick setting
ClientHost setting
* QuitOnHTTP:
Only "handle" HTTP commands on unregistered connections
Don't use IRC_QUIT_HTTP() if STRICT_RFC is #define'd
IRC_QUIT_HTTP(): enhance error message
Move IRC_QUIT_HTTP() below IRC_QUIT()
quit on HTTP commands: GET & POST
* bug72-WHOIS-List:
Add "whois-test" to testsuite and distribution archive
Add support for up to 3 targets in WHOIS queries.
The percent sign is reserved for future extensions, for example to
expand some variables like %H to a hash value of the real host name ...
Idea by kaFux in #ngircd.
Describe the possible types of variables in ngircd.conf:
booleans, text strings, integer numbers.
And add type information to each variable description.
ngircd unfortunately uses several options using double-negation, e.g.
NoIdent = No, NoPam = No, etc.
This renames all options by dropping the "No" prefix, e.g.
"NoIdent = no" becomes "Ident = yes".
The old options will continue to work, but will cause a warning
message.
Also update man pages and default config.
To prevent silly
'Ident = yes' from appearing in --configtest output in the
'ident support not compiled in and Ident Option not used' case,
make default value depend on feature availability.
If feature is available, enable by default, otherwise disable.
We might consider moving these options to a new
[Feature]
section, or something like that, because none of these options are
essential.
Another possible improvement:
'Ident = yes' option in ngircd.conf causes a warning if ngircd was
built without ident support.
This does not happen with e.g. zeroconf....
If ngIRCd is compiled to register its services using ZeroConf (e.g. using
Howl, Avahi or on Mac OS X) this parameter can be used to disable service
registration at runtime.
The new option "SyslogFacility" deines the syslog "facility" to which
ngIRCd should send log messages.
Possible values are system dependant, but most probably "auth", "daemon",
"user" and "local1" through "local7" are possible values; see syslog(3).
Default is "local5" for historical reasons.
previously, the given MotdFile file was read whenever a client
requested it.
Change handling to read the MotdFile contents into memory once
during config file parsing.
Two side effects:
- changes to the MOTD file do not have any effect until ngircds
configuration is reloaded
- MOTD file does no longer have to reside in the chroot directory
(the MOTD contents will then not be re-read on reload in that case)
When the "NoPAM" configuration option is set and ngIRCd is compiled
with support for PAM, ngIRCd will not call any PAM functions: all
connection attemps without password will succeed instead and all
connection attemps with password will fail.
If ngIRCd is compiled without PAM support, this option is a dummy
option and nothing changes: the global server password will still be
in effect.
The WEBIRC command is used by some Web-to-IRC gateways to set the correct
user name and host name of users instead of their own.
Syntax: WEBIRC <password> <username> <hostname> <ip-address>
The <password> must be set using the new configuration variable "WebircPassword" in the [Global] section of ngircd.conf.
Please note that the <ip-address> is currently not used by ngIRCd (we don't store it in the CLIENT structure, only the resolved hostname).
Added new configuration option "AllowRemoteOper" to control whether
remote IRC operators are allowed to use administrative commands that
affect this server or not
This commit introduces the configuration variable, but actually no
function is using it. That's up for the next patches to come ...
Cosmo Kastemaa reported that its impossible to create an ssl-only setup,
as ngircd binds to port 6667 by default, even if setting "Ports =".
Only add the default port if _both_ "Ports" and "SSLPorts" are
unspecified.
Fixes bugzilla #98.
Alexander Barton