.\"
.\" ngircd.conf(5) manual page template
.\"
-.TH ngircd.conf 5 "Jun 2011" ngircd "ngIRCd Manual"
+.TH ngircd.conf 5 "Mar 2012" ngircd "ngIRCd Manual"
.SH NAME
ngircd.conf \- configuration file of ngIRCd
.SH SYNOPSIS
In addition, some string or numerical variables accept lists of values,
separated by commas (",").
.SH "SECTION OVERVIEW"
-The file can contain blocks of four types: [Global], [Limits], [Options],
-[Operator], [Server], and [Channel].
+The file can contain blocks of seven types: [Global], [Limits], [Options],
+[SSL], [Operator], [Server], and [Channel].
.PP
The main configuration of the server is stored in the
.I [Global]
maximum number of clients allowed to connect to this server. Variables in the
.I [Options]
section can be used to enable or disable specific features of ngIRCd, like
-support for IDENT, PAM, IPv6, SSL, and protocol and cloaking features. These
-two sections are both optional.
+support for IDENT, PAM, IPv6, and protocol and cloaking features. The
+.I [SSL]
+block contains all SSL-related configuration variables. These three sections
+are all optional.
.PP
IRC operators of this server are defined in
.I [Operator]
.PP
There can be more than one [Operator], [Server] and [Channel] section per
configuration file (one for each operator, server, and channel), but only
-exactly one [Global], one [Limits], and one [Options] section.
+exactly one [Global], one [Limits], one [Options], and one [SSL] section.
.SH [GLOBAL]
The
.I [Global]
\fBPidFile\fR (string)
This tells ngIRCd to write its current process ID to a file. Note that the
pidfile is written AFTER chroot and switching the user ID, e.g. the directory
-the pidfile resides in must be writeable by the ngIRCd user and exist in the
+the pidfile resides in must be writable by the ngIRCd user and exist in the
chroot directory (if configured, see above).
.TP
\fBPorts\fR (list of numbers)
-Ports on which the server should listen. There may be more than one port,
-separated with commas (","). Default: 6667, unless \fBSSL_Ports\fR are also
-specified.
+Ports on which the server should listen for unencrypted connections. There
+may be more than one port, separated with commas (","). Default: 6667.
.TP
\fBServerGID\fR (string or number)
Group ID under which the ngIRCd should run; you can use the name of the
seconds, it will be disconnected by the server. Default: 20.
.SH [OPTIONS]
Optional features and configuration options to further tweak the behavior of
-ngIRCd. If you wan't to get started quickly, you most probably don't have to
+ngIRCd. If you want to get started quickly, you most probably don't have to
make changes here -- they are all optional.
.TP
\fBAllowRemoteOper\fR (boolean)
\fBIdent\fR (boolean)
If ngIRCd is compiled with IDENT support this can be used to disable IDENT
lookups at run time.
+Users identified using IDENT are registered without the "~" character
+prepended to their user name.
Default: yes.
.TP
+\fBMorePrivacy\fR (boolean)
+This will cause ngIRCd to censor user idle time, logon time as well as the
+part/quit messages (that are sometimes used to inform everyone about which
+client software is being used). WHOWAS requests are also silently ignored.
+This option is most useful when ngIRCd is being used together with
+anonymizing software such as TOR or I2P and one does not wish to make it
+too easy to collect statistics on the users.
+Default: no.
+.TP
\fBNoticeAuth\fR (boolean)
Normally ngIRCd doesn't send any messages to a client until it is registered.
Enable this option to let the daemon send "NOTICE AUTH" messages to clients
If ngIRCd is compiled with PAM support this can be used to disable all calls
to the PAM library at runtime; all users connecting without password are
allowed to connect, all passwords given will fail.
+Users identified using PAM are registered without the "~" character
+prepended to their user name.
Default: yes.
.TP
+\fBPAMIsOptional\fR (boolean)
+When PAM is enabled, all clients are required to be authenticated using PAM;
+connecting to the server without successful PAM authentication isn't possible.
+If this option is set, clients not sending a password are still allowed to
+connect: they won't become "identified" and keep the "~" character prepended
+to their supplied user name.
+Please note:
+To make some use of this behavior, it most probably isn't useful to enable
+"Ident", "PAM" and "PAMIsOptional" at the same time, because you wouldn't be
+able to distinguish between Ident'ified and PAM-authenticated users: both
+don't have a "~" character prepended to their respective user names!
+Default: no.
+.TP
\fBPredefChannelsOnly\fR (boolean)
If enabled, no new channels can be created. Useful if you do not want to have
other channels than those defined in [Channel] sections in the configuration
If set to true, ngIRCd will silently drop all CTCP requests sent to it from
both clients and servers. It will also not forward CTCP requests to any
other servers. CTCP requests can be used to query user clients about which
-software they are using and which versions said softare is. CTCP can also be
+software they are using and which versions said software is. CTCP can also be
used to reveal clients IP numbers. ACTION CTCP requests are not blocked,
this means that /me commands will not be dropped, but please note that
blocking CTCP will disable file sharing between users!
Default: no.
.TP
-\fBSSLCertFile\fR (string)
+\fBSyslogFacility\fR (string)
+Syslog "facility" to which ngIRCd should send log messages. Possible
+values are system dependent, but most probably "auth", "daemon", "user"
+and "local1" through "local7" are possible values; see syslog(3).
+Default is "local5" for historical reasons, you probably want to
+change this to "daemon", for example.
+.TP
+\fBWebircPassword\fR (string)
+Password required for using the WEBIRC command used by some Web-to-IRC
+gateways. If not set or empty, the WEBIRC command can't be used.
+Default: not set.
+.SH [SSL]
+All SSL-related configuration variables are located in the
+.I [SSL]
+section. Please note that this whole section is only recognized by ngIRCd
+when it is compiled with support for SSL using OpenSSL or GnuTLS!
+.TP
+\fBCertFile\fR (string)
SSL Certificate file of the private server key.
.TP
-\fBSSLDHFile\fR (string)
+\fBDHFile\fR (string)
Name of the Diffie-Hellman Parameter file. Can be created with GnuTLS
"certtool \-\-generate-dh-params" or "openssl dhparam". If this file is not
present, it will be generated on startup when ngIRCd was compiled with GnuTLS
(Ephemeral)-Diffie-Hellman Key Exchanges and several Cipher Suites will not be
available.
.TP
-\fBSSLKeyFile\fR (string)
+\fBKeyFile\fR (string)
Filename of SSL Server Key to be used for SSL connections. This is required
for SSL/TLS support.
.TP
-\fBSSLKeyFilePassword\fR (string)
+\fBKeyFilePassword\fR (string)
OpenSSL only: Password to decrypt the private key file.
.TP
-\fBSSLPorts\fR (list of numbers)
+\fBPorts\fR (list of numbers)
Same as \fBPorts\fR , except that ngIRCd will expect incoming connections
to be SSL/TLS encrypted. Common port numbers for SSL-encrypted IRC are 6669
and 6697. Default: none.
-.TP
-\fBSyslogFacility\fR (string)
-Syslog "facility" to which ngIRCd should send log messages. Possible
-values are system dependent, but most probably "auth", "daemon", "user"
-and "local1" through "local7" are possible values; see syslog(3).
-Default is "local5" for historical reasons, you probably want to
-change this to "daemon", for example.
-.TP
-\fBWebircPassword\fR (string)
-Password required for using the WEBIRC command used by some Web-to-IRC
-gateways. If not set or empty, the WEBIRC command can't be used.
-Default: not set.
.SH [OPERATOR]
.I [Operator]
sections are used to define IRC Operators. There may be more than one
\fBMask\fR (string)
Mask that is to be checked before an /OPER for this account is accepted.
Example: nick!ident@*.example.com
-.SH [FEATURES]
-An optional section that can be used to disable features at
-run-time. A feature is enabled by default if if ngircd was built with
-support for it.
.SH [SERVER]
Other servers are configured in
.I [Server]