From 1f501eab9adfc1c13f2cf07245864bdf677975f4 Mon Sep 17 00:00:00 2001 From: Shivaram Lingamneni Date: Mon, 25 May 2020 07:58:21 -0400 Subject: [PATCH 1/9] update manual references to TLS certificate filenames --- docs/MANUAL.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/MANUAL.md b/docs/MANUAL.md index 54518832..515832ba 100644 --- a/docs/MANUAL.md +++ b/docs/MANUAL.md @@ -140,7 +140,7 @@ The recommended way to operate oragono as a service on Linux is via systemd. Thi The only major distribution that currently packages Oragono is Arch Linux; the aforementioned AUR package includes a systemd unit file. However, it should be fairly straightforward to set up a productionized Oragono on any Linux distribution. Here's a quickstart guide for Debian/Ubuntu: 1. Create a dedicated, unprivileged role user who will own the oragono process and all its associated files: `adduser --system --group oragono`. This user now has a home directory at `/home/oragono`. -1. Copy the executable binary `oragono`, the config file `ircd.yaml`, the database `ircd.db`, and the self-signed TLS certificate (`tls.crt` and `tls.key`) to `/home/oragono`. Ensure that they are all owned by the new oragono role user: `sudo chown oragono:oragono /home/oragono/*`. Ensure that the configuration file logs to stderr. +1. Copy the executable binary `oragono`, the config file `ircd.yaml`, the database `ircd.db`, and the self-signed TLS certificate (`fullchain.pem` and `privkey.pem`) to `/home/oragono`. Ensure that they are all owned by the new oragono role user: `sudo chown oragono:oragono /home/oragono/*`. Ensure that the configuration file logs to stderr. 1. Install our example [oragono.service](https://github.com/oragono/oragono/blob/master/distrib/systemd/oragono.service) file to `/etc/systemd/system/oragono.service`. 1. Enable and start the new service with the following commands: 1. `systemctl daemon-reload` @@ -159,9 +159,9 @@ The other major hurdle for productionizing (but one well worth the effort) is ob set -eu umask 077 -cp /etc/letsencrypt/live/example.com/fullchain.pem /home/oragono/tls.crt -cp /etc/letsencrypt/live/example.com/privkey.pem /home/oragono/tls.key -chown oragono:oragono /home/oragono/tls.* +cp /etc/letsencrypt/live/example.com/fullchain.pem /home/oragono/ +cp /etc/letsencrypt/live/example.com/privkey.pem /home/oragono/ +chown oragono:oragono /home/oragono/*.pem # rehash oragono, which will reload the certificates: systemctl reload oragono.service ```` @@ -428,8 +428,8 @@ Many clients do not have this support. However, you can designate port 6667 as a ":6697": tls: - key: tls.key - cert: tls.crt + cert: fullchain.pem + key: privkey.pem sts: enabled: true From 4ca163590c832317a6fa3956d37e565cde1ef1ff Mon Sep 17 00:00:00 2001 From: Shivaram Lingamneni Date: Mon, 25 May 2020 09:07:37 -0400 Subject: [PATCH 2/9] fix discussion of nick reservation modes --- docs/MANUAL.md | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/docs/MANUAL.md b/docs/MANUAL.md index 515832ba..ed7bc411 100644 --- a/docs/MANUAL.md +++ b/docs/MANUAL.md @@ -219,9 +219,9 @@ Oragono supports several different modes of operation with respect to accounts a ### Traditional / lenient mode -This is the default mode, and makes Oragono's services act similar to Quakenet's Q bot. In this mode, users cannot own or reserve nicknames. In other words, there is no connection between account names and nicknames. Anyone can use any nickname (as long as it's not already in use by another running client). However, accounts are still useful: they can be used to register channels (see below), and some IRCv3-capable clients (with the `account-tag` or `extended-join` capabilities) may be able to take advantage of them. +This makes Oragono's services act similar to Quakenet's Q bot. In this mode, users cannot own or reserve nicknames. In other words, there is no connection between account names and nicknames. Anyone can use any nickname (as long as it's not already in use by another running client). However, accounts are still useful: they can be used to register channels (see below), and some IRCv3-capable clients (with the `account-tag` or `extended-join` capabilities) may be able to take advantage of them. -To enable this mode, set the following configs (this is the default mode): +To enable this mode, set the following configs: * `accounts.registration.enabled = true` * `accounts.authentication-enabled = true` @@ -229,22 +229,17 @@ To enable this mode, set the following configs (this is the default mode): ### Nick ownership -This mode makes Oragono's services act like those of a typical IRC network (like Freenode). In this mode, registering an account gives you privileges over the use of that account as a nickname. The server will then help you to enforce control over your nickname(s): - -* You can proactively prevent anyone from using your nickname, unless they're already logged into your account -* Alternately, you can give clients a grace period to log into your account, but if they don't and the grace period expires, the server will change their nickname to something else -* Alternately, you can forego any proactive enforcement – but if you decide you want to reclaim your nickname from a squatter, you can `/msg Nickserv ghost stolen_nickname` and they'll be disconnected -* You can associate additional nicknames with your account by changing to it and then issuing `/msg NickServ group` +In this mode (the default), registering an account gives you privileges over the use of that account as a nickname. The server will then help you to enforce control over your nickname(s). No one will be able to use your nickname unless they are logged into your account. To enable this mode, set the following configs: * `accounts.registration.enabled = true` * `accounts.authentication-enabled = true` * `accounts.nick-reservation.enabled = true` +* `accounts.nick-reservation.method = strict` The following additional configs may be of interest: -* `accounts.nick-reservation.method = strict` ; we currently recommend strict nickname enforcement as the default, since we've found that users find it less confusing. * `accounts.nick-reservation.force-nick-equals-account = true` ; this allows nicknames to be treated as account names for most purposes, including for controlling access to channels (see the discussion of private channels below) ### SASL-only mode @@ -259,9 +254,6 @@ To enable this mode, set the following configs: * `accounts.authentication-enabled = true` * `accounts.require-sasl.enabled = true` * `accounts.nick-reservation.enabled = true` - -Additionally, the following configs are recommended: - * `accounts.nick-reservation.method = strict` * `accounts.nick-reservation.force-nick-equals-account = true` From a10474ae42bc7d727092a9113cf478188b725f4c Mon Sep 17 00:00:00 2001 From: Shivaram Lingamneni Date: Mon, 25 May 2020 11:12:14 -0400 Subject: [PATCH 3/9] changelog entry for #1051 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 99079a06..0e3c4dec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,6 +53,7 @@ This release includes a change to the MySQL schema. This change will be applied * Fixed some channels not being unregistered during account unregistration (#889) * Fixed `/NICKSERV SET` and related commands being unavailable when account registration is disabled (#922, thanks [@PizzaLover2007](https://github.com/PizzaLover2007)!) * Fixed `TAGMSG` not being replayed correctly in history (#1044) +* Fixed incorrect `401 ERR_NOSUCHNICK` responses on `TAGMSG` sent to a service (#1051, thanks [@ajaspers](https://github.com/ajaspers)!) * Fixed `301 RPL_AWAY` not being sent in `WHOIS` responses when applicable (#850) * `/OPER` with no password no longer disconnects the client (#951) * Fixed failure to send extended-join responses after account unregistration (#933, thanks [@jesopo](https://github.com/jesopo)!) From e5ee5c43436e754abd33be427ae486b6bf6ab018 Mon Sep 17 00:00:00 2001 From: Shivaram Lingamneni Date: Mon, 25 May 2020 18:16:03 -0400 Subject: [PATCH 4/9] add translators --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e3c4dec..3122bcb2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,7 +10,7 @@ Since the release of 2.0.0 in March, a number of new communities and organizatio * Tighter control over the relationship between account names and nicknames, eliminating the need for extbans * Support for sending account verification emails directly from Oragono, including DKIM signatures -Many thanks to [@ajaspers](https://github.com/ajaspers) and [@hhirtz](https://github.com/hhirtz) for contributing patches, to [@ajaspers](https://github.com/ajaspers), [@eklitzke](https://github.com/eklitzke), and [@hhirtz](https://github.com/hhirtz) for contributing code reviews, to [@ajaspers](https://github.com/ajaspers), [@bogdomania](https://github.com/bogdomania), [@clukawski](https://github.com/clukawski), Csibesz, [@csmith](https://github.com/csmith), [@eklitzke](https://github.com/eklitzke), [@nxths](https://github.com/nxths), [@hhirtz](https://github.com/hhirtz), [@jesopo](https://github.com/jesopo), [@jlnt](https://github.com/jlnt), [@justjanne](https://github.com/justjanne), [@jwheare](https://github.com/jwheare), [@k4bek4be](https://github.com/k4bek4be), [@kula](https://github.com/kula), [@kylef](https://github.com/kylef), [@Mitaka8](https://github.com/Mitaka8), [@petteri](https://github.com/petteri), [@PizzaLover2007](https://github.com/PizzaLover2007), [@prawnsalad](https://github.com/prawnsalad), [@RyanSquared](https://github.com/RyanSquared), savoyard, and [@xPaw](https://github.com/xPaw) for reporting issues, and to TODO: TRANSLATORS for contributing translations. +Many thanks to [@ajaspers](https://github.com/ajaspers) and [@hhirtz](https://github.com/hhirtz) for contributing patches, to [@ajaspers](https://github.com/ajaspers), [@eklitzke](https://github.com/eklitzke), and [@hhirtz](https://github.com/hhirtz) for contributing code reviews, to [@ajaspers](https://github.com/ajaspers), [@bogdomania](https://github.com/bogdomania), [@clukawski](https://github.com/clukawski), Csibesz, [@csmith](https://github.com/csmith), [@eklitzke](https://github.com/eklitzke), [@nxths](https://github.com/nxths), [@hhirtz](https://github.com/hhirtz), [@jesopo](https://github.com/jesopo), [@jlnt](https://github.com/jlnt), [@justjanne](https://github.com/justjanne), [@jwheare](https://github.com/jwheare), [@k4bek4be](https://github.com/k4bek4be), [@kula](https://github.com/kula), [@kylef](https://github.com/kylef), [@Mitaka8](https://github.com/Mitaka8), [@petteri](https://github.com/petteri), [@PizzaLover2007](https://github.com/PizzaLover2007), [@prawnsalad](https://github.com/prawnsalad), [@RyanSquared](https://github.com/RyanSquared), savoyard, and [@xPaw](https://github.com/xPaw) for reporting issues, and to [@bogdomania](https://github.com/bogdomania), [@boppy](https://github.com/boppy), Nuve, stickytoffeepuddingwithcaramel, and [@vegax87](https://github.com/vegax87) for contributing translations. This release includes changes to the config file format, including one breaking change: support for `server.ip-cloaking.secret-environment-variable` has been removed. (See below for instructions on how to upgrade if you were using this feature.) All other changes to the config file format are backwards compatible and do not require updating before restart. From 0461eb48f4901aec5d7db9d089c7bc8b30937091 Mon Sep 17 00:00:00 2001 From: Shivaram Lingamneni Date: Tue, 26 May 2020 16:27:06 -0400 Subject: [PATCH 5/9] add more bug credits --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3122bcb2..58fbc291 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,7 +10,7 @@ Since the release of 2.0.0 in March, a number of new communities and organizatio * Tighter control over the relationship between account names and nicknames, eliminating the need for extbans * Support for sending account verification emails directly from Oragono, including DKIM signatures -Many thanks to [@ajaspers](https://github.com/ajaspers) and [@hhirtz](https://github.com/hhirtz) for contributing patches, to [@ajaspers](https://github.com/ajaspers), [@eklitzke](https://github.com/eklitzke), and [@hhirtz](https://github.com/hhirtz) for contributing code reviews, to [@ajaspers](https://github.com/ajaspers), [@bogdomania](https://github.com/bogdomania), [@clukawski](https://github.com/clukawski), Csibesz, [@csmith](https://github.com/csmith), [@eklitzke](https://github.com/eklitzke), [@nxths](https://github.com/nxths), [@hhirtz](https://github.com/hhirtz), [@jesopo](https://github.com/jesopo), [@jlnt](https://github.com/jlnt), [@justjanne](https://github.com/justjanne), [@jwheare](https://github.com/jwheare), [@k4bek4be](https://github.com/k4bek4be), [@kula](https://github.com/kula), [@kylef](https://github.com/kylef), [@Mitaka8](https://github.com/Mitaka8), [@petteri](https://github.com/petteri), [@PizzaLover2007](https://github.com/PizzaLover2007), [@prawnsalad](https://github.com/prawnsalad), [@RyanSquared](https://github.com/RyanSquared), savoyard, and [@xPaw](https://github.com/xPaw) for reporting issues, and to [@bogdomania](https://github.com/bogdomania), [@boppy](https://github.com/boppy), Nuve, stickytoffeepuddingwithcaramel, and [@vegax87](https://github.com/vegax87) for contributing translations. +Many thanks to [@ajaspers](https://github.com/ajaspers) and [@hhirtz](https://github.com/hhirtz) for contributing patches, to [@ajaspers](https://github.com/ajaspers), [@eklitzke](https://github.com/eklitzke), and [@hhirtz](https://github.com/hhirtz) for contributing code reviews, to [@ajaspers](https://github.com/ajaspers), [@bogdomania](https://github.com/bogdomania), [@clukawski](https://github.com/clukawski), Csibesz, [@csmith](https://github.com/csmith), [@eklitzke](https://github.com/eklitzke), [@nxths](https://github.com/nxths), [@hhirtz](https://github.com/hhirtz), [@jesopo](https://github.com/jesopo), [@jlnt](https://github.com/jlnt), [@justjanne](https://github.com/justjanne), [@jwheare](https://github.com/jwheare), [@k4bek4be](https://github.com/k4bek4be), [@KoraggKnightWolf](https://github.com/KoraggKnightWolf), [@kula](https://github.com/kula), [@kylef](https://github.com/kylef), [@Mitaka8](https://github.com/Mitaka8), [@petteri](https://github.com/petteri), [@PizzaLover2007](https://github.com/PizzaLover2007), [@prawnsalad](https://github.com/prawnsalad), [@RyanSquared](https://github.com/RyanSquared), savoyard, and [@xPaw](https://github.com/xPaw) for reporting issues, and to [@bogdomania](https://github.com/bogdomania), [@boppy](https://github.com/boppy), Nuve, stickytoffeepuddingwithcaramel, and [@vegax87](https://github.com/vegax87) for contributing translations. This release includes changes to the config file format, including one breaking change: support for `server.ip-cloaking.secret-environment-variable` has been removed. (See below for instructions on how to upgrade if you were using this feature.) All other changes to the config file format are backwards compatible and do not require updating before restart. @@ -60,6 +60,8 @@ This release includes a change to the MySQL schema. This change will be applied * Improved validation of channel keys (#1021, thanks [@kylef](https://github.com/kylef)!) * Fixed labeling of `421 ERR_UNKNOWNCOMMAND` responses (#994, thanks [@k4bek4be](https://github.com/k4bek4be)!) * Fixed incorrect parsing of ident protocol responses (#1002, thanks [@justjanne](https://github.com/justjanne)!) +* Fixed registration completing after `NICK` and an ident response, without waiting for `USER` (#1057, thanks [@KoraggKnightWolf](https://github.com/KoraggKnightWolf)!) +* Fixed messages rejected by the `+R` mode being stored in history (#1061, thanks [@KoraggKnightWolf](https://github.com/KoraggKnightWolf)!) * Fixed redundant `/INVITE` commands not sending `443 ERR_USERONCHANNEL` (#842, thanks [@hhirtz](https://github.com/hhirtz)!) * Fixed `/NICKSERV REGISTER` response displaying `mailto:` out of context (#985, thanks [@eklitzke](https://github.com/eklitzke)!) * Fixed HostServ approval and rejection notices being sent from the wrong source (#805) From c7199798c8e5131f8384d81f947e9f47998bc7eb Mon Sep 17 00:00:00 2001 From: Shivaram Lingamneni Date: Tue, 26 May 2020 17:29:08 -0400 Subject: [PATCH 6/9] add email verification docs --- docs/MANUAL.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/docs/MANUAL.md b/docs/MANUAL.md index ed7bc411..49e38e39 100644 --- a/docs/MANUAL.md +++ b/docs/MANUAL.md @@ -29,6 +29,7 @@ _Copyright © Daniel Oaks , Shivaram Lingamneni Date: Wed, 27 May 2020 09:57:27 -0400 Subject: [PATCH 7/9] add snomask documentation --- docs/MANUAL.md | 4 ++-- irc/help.go | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/MANUAL.md b/docs/MANUAL.md index 49e38e39..13853ce1 100644 --- a/docs/MANUAL.md +++ b/docs/MANUAL.md @@ -503,9 +503,9 @@ To unset this mode and let anyone speak to you: /mode dan -R -### +s - Server Notice Masks +### +s - Server Notice Masks ("snomasks") -This is a special 'list mode'. If you're an IRC operator, this mode lets you see special server notices that get sent out. See the Server Notice Masks section for more information on this mode. +This is a special 'list mode'. If you're an IRC operator, this mode lets you see special server notices that get sent out. See `/helpop snomasks` (as an operator) for more information on this mode. ### +Z - TLS diff --git a/irc/help.go b/irc/help.go index 50878685..fcdc6df9 100644 --- a/irc/help.go +++ b/irc/help.go @@ -83,6 +83,7 @@ Oragono supports the following server notice masks for operators: t | Local /STATS usage. u | Local client account actions. x | Local X-lines (DLINE/KLINE/etc). + v | Local vhost changes. To set a snomask, do this with your nickname: From d48ca682bd88c8626442f967256b2c4acca37d3d Mon Sep 17 00:00:00 2001 From: Shivaram Lingamneni Date: Thu, 28 May 2020 01:11:28 -0400 Subject: [PATCH 8/9] make manual language more consistent --- docs/MANUAL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/MANUAL.md b/docs/MANUAL.md index 13853ce1..9adad8db 100644 --- a/docs/MANUAL.md +++ b/docs/MANUAL.md @@ -331,7 +331,7 @@ Our language and translation functionality is very early, so feel free to let us Traditionally, every connection to an IRC server is separate must use a different nickname. [Bouncers](https://en.wikipedia.org/wiki/BNC_%28software%29#IRC) are used to work around this, by letting multiple clients connect to a single nickname. With Oragono, if the server is configured to allow it, multiple clients can share a single nickname without needing a bouncer. To use this feature, both connections must authenticate with SASL to the same user account and then use the same nickname during connection registration (while connecting to the server) – once you've logged-in, you can't share another nickname. -To enable this functionality, set `accounts.multiclient.enabled` to `true`. Setting `accounts.multiclient.allowed-by-default` to `true` will allow this for everyone. If `allowed-by-default` is `false` (but `enabled` is still `true`), users can opt in to shared connections using `/msg NickServ SET multiclient on`. +To enable this functionality, set `accounts.multiclient.enabled` to `true`. Setting `accounts.multiclient.allowed-by-default` to `true` will allow this for everyone. If `allowed-by-default` is `false` (but `enabled` is still `true`), users can opt in to shared connections using `/msg NickServ SET multiclient true`. You can see a list of your active sessions and their idle times with `/msg NickServ sessions` (network operators can use `/msg NickServ sessions nickname` to see another user's sessions). From 9177e785c516b3769d5b6185ebfcd62c9cd7d5c4 Mon Sep 17 00:00:00 2001 From: Shivaram Lingamneni Date: Thu, 28 May 2020 01:18:19 -0400 Subject: [PATCH 9/9] add a config sanity check --- irc/config.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/irc/config.go b/irc/config.go index 277413e1..73888eb5 100644 --- a/irc/config.go +++ b/irc/config.go @@ -927,6 +927,10 @@ func LoadConfig(filename string) (config *Config, err error) { config.Accounts.Multiclient.AllowedByDefault = true } + if config.Accounts.NickReservation.ForceNickEqualsAccount && !config.Accounts.Multiclient.Enabled { + return nil, errors.New("force-nick-equals-account requires enabling multiclient as well") + } + // handle guest format, including the legacy key rename-prefix if config.Accounts.NickReservation.GuestFormat == "" { renamePrefix := config.Accounts.NickReservation.RenamePrefix