Configuring oidentd for ZNC

Installing oidentd is necessary if you're providing a public bouncer. Ident helps ensure that a user of your bouncer can always be uniquely identified, making it easier to ban that user and prevent abuse.

You may want to consult znc's wiki as a reference.

First, we install oidentd:

$ doas pkg_add oidentd

Afterwards, inside /etc/rc.local, we put the following:

if [ -x /usr/local/sbin/oidentd ]; then
        echo -n ' oidentd';     /usr/local/sbin/oidentd -u _identd -g _identd

Warning: Do not use -a :: as suggested in znc's wiki or ident will not work for IPv4.

This ensures that oident starts at bootup and runs as the user and group _identd.

Now, to start oidentd, run:

$ doas /usr/local/sbin/oidentd -u _identd -g _identd

Put this inside /etc/oidentd.conf to spoof ident replies:

user "znc" {
    default {
        allow spoof
        allow spoof_all

Make sure the identfile module is loaded on znc.

We need to create ~/.oidentd.conf inside the home folder for znc that oidentd will read from to spoof ident replies. This is made more tricky by the fact that znc runs inside a chroot:

$ doas touch /home/znc/home/znc/.oidentd.conf
$ doas ln -s /home/znc/home/znc/.oidentd.conf /home/znc/.oidentd.conf
$ doas chmod 664 /home/znc/.oidentd.conf /home/znc/home/znc/.oidentd.conf
$ doas chmod 755 /home/znc/ /home/znc/home /home/znc/home/znc
$ doas chown znc:znc /home/znc/.oidentd.conf /home/znc/home/znc/.oidentd.conf

ZNC's identfile module will help write to /home/znc/home/znc/.oidentd.conf, which in turn is symlinked to /home/znc/.oidentd.conf . This latter file is what oidentd reads from. We must make sure oidentd can read the .oidentd.conf file by ensuring the permissions on each of the directories leading up the file are at least rwx--x--x.

While connected to znc using an account with admin rights, send this through your IRC client:

/msg *status loadmod identfile
/msg *identfile setfile ~/.oidentd.conf
/msg *identfile setformat global { reply "%user%" }

This sets the ident reply to be the username (which the user can't change), ensuring that ident replies can't be spoofed by the user.

It is possible to temporarily change a user's ident. However, this fix does not appear permanent. Currently, the recommended way to change a user's ident is to delete his account and create a new username matching the desired ident.