Configuring oidentd for ZNC

Installing oidentd is necessary if you're providing a public bouncer. Ident helps ensure that a user of your bouncer can always be uniquely identified, making it easier to ban that user and prevent abuse.

You may want to consult znc's wiki as a reference.

First, we install oidentd:

$ doas pkg_add oidentd

Afterwards, inside /etc/rc.local, we put the following:

if [ -x /usr/local/sbin/oidentd ]; then
        echo -n ' oidentd';     /usr/local/sbin/oidentd -u _identd -g _identd

Warning: Do not use -a :: as suggested in znc's wiki or ident will not work for IPv4.

This ensures that oident starts at bootup and runs as the user and group _identd.

Now, to start oidentd, run:

$ doas /usr/local/sbin/oidentd -u _identd -g _identd

Put this inside /etc/oidentd.conf to spoof ident replies:

user "znc" {
    default {
        allow spoof
        allow spoof_all

Make sure the identfile module is loaded on znc.

We need to create ~/.oidentd.conf inside the home folder for znc that oidentd will read from to spoof ident replies. This is made more tricky by the fact that znc runs inside a chroot:

$ doas touch /home/znc/home/znc/.oidentd.conf
$ doas ln -s /home/znc/home/znc/.oidentd.conf /home/znc/.oidentd.conf
$ doas chmod 664 /home/znc/.oidentd.conf /home/znc/home/znc/.oidentd.conf
$ doas chmod 755 /home/znc/ /home/znc/home /home/znc/home/znc
$ doas chown znc:znc /home/znc/.oidentd.conf /home/znc/home/znc/.oidentd.conf

ZNC's identfile module will help write to /home/znc/home/znc/.oidentd.conf, which in turn is symlinked to /home/znc/.oidentd.conf . This latter file is what oidentd reads from. We must make sure oidentd can read the .oidentd.conf file by ensuring the permissions on each of the directories leading up the file are at least rwx--x--x.

While connected to znc using an account with admin rights, send this through your IRC client:

/msg *status loadmod identfile
/msg *identfile setfile ~/.oidentd.conf
/msg *identfile setformat global { reply "%user%" }

This sets the ident reply to be the username (which the user can't change), ensuring that ident replies can't be spoofed by the user.

Ident Changes by Admins:

As we can see, the above command:

/msg *identfile setformat global { reply "%user%" }

won't allow user to change their ident, and there has been some recent requests on change of ident we admins are required to change it as per the user wants.

But, with the settings above, which reads the znc username as ident reply we can't easily change ident, and hence we used to clone the user account and change the username as their desired ident name, as a result it enforces the user to use new znc username.

There's an alternate way where we can fix this without tampering the username, so upon any ident change requests, we have to run the following in our irc client:

/msg *identfile setformat global { reply "%ident%" }

We can then goto the requested users znc settings and change ident box contents to their desired ident for all of their networks, disconnect the user and reconnect the user.

Voila, it reads the ident box as "ident", but, this setting alone would also allows the user to change the ident by themself (which we don't want). So, after we successfully confirmed the user's ident reply changed as their desired one. We now have to run the following command on irc-client:

/msg *identfile setformat global { reply "%user%" }

After this, Do Not restart the user. Hence the ident displays the changed one (untill there's a disconnection and reconnection), but also disallows the user to make any changes with it.

But, this is a temporary solution. Everytime the user gets disconnected, upon re-connection, the ident will be changed to their "username".

Now, if a single user gets disconnected, we can use the above method to set the new ident and move on. In the case of server down or other issues, where all znc users get disconnected. We have to do the following in irc-client:

/msg *identfile setformat global { reply "%ident%" }

And restart znc, make sure the idents of the users changed by checking any random user you know whom uses different username and ident,

This way, whatever the user placed on "ident" box would read as ident and gets displayed.

Afterwards, the following command should be run via irc-client

/msg *identfile setformat global { reply "%user%" }

This ensures the user can't change it afterwards.

Note: The user must have their desired ident on their znc's identbox

As you can see, the process is pretty much manual, everytime we have a znc shutdown by any cause, we have to run the above said commands to make sure the user gets their desired ident as well as we have control over the ident.

Note : If your server has very less users whom use a different ident from their username, It is advised to do manually fix theirs (individually) and restart their znc's, rather than restarting the whole znc.

If you have alternative solutions or a way to automate the process, kindly do suggest them.