<metacharset="UTF-8"/><!-- <meta http-equiv="refresh" content="60" /> --><metaname="description"content="Instructions for identifying to services on various IRC networks."/><metaname="author"content="Mikaela Suomalainen"/><linkrel="canonical"href="https://mkaysi.github.io/pages/external/identifying.html">
<p>There isn't much to say about SASL as it's easy to configure as long as your IRC client supports it. SASL identifies you before logging in, but it won't help you in case services are down. The easiest way to check does the network where you are support SASL is probably to whois or message or both to the SaslServ.</p>
<pre><code>/whois SaslServ SaslServ
/msg SaslServ help</code></pre>
<p>If the network does support SASL, you should see something like this which freenode gives:</p>
XX:XX:XX -- SaslServ: This service exists to identify connecting clients to the network. It has no public interface.</code></pre>
<p>There are different mechanisms for use with SASL. I personally use them in this order with ZNC: <code>PLAIN DH-AES DH-BLOWFISH and EXTERNAL</code>.</p>
<p>This is what ZNC 1.5-git-3b01efc says about them:</p>
<p>CertFP identifies you using SSL certificate which you must generate and add to your NickServ account.</p>
<p>You can use this command at IRC to check if the network supports certfp.</p>
<pre><code>/msg NickServ help cert</code></pre>
<p>I am not sure how this happens on Windows, so you might need to look for that information elsewhere unless someone decides to help me and tell how does it happen. I am going to tell about OpenSSL.</p>
<h3id="generating-the-certificate">Generating the certificate</h3>
<p>Open terminal and run this command and replae YOURNICKNAMEHERE.pem with your nickname or something else which makes you know what it is (<strong>DO NOT SET PASSWORD FOR IT OR YOUR CLIENT MIGHT NOT BE ABLE TO USE IT</strong>):</p>
<p><strong>NOTE: This certificate is valid for 24855 days which is the maximum on 32-bit systems. This might not be very wise, but as we only use this cert in IRC and we don't want to worry about regenerating it too often so we have a very long time when it's valid. You should regenerate your cert as often as you change your password or more even more often…</strong></p>
<p>Oh, and <strong>don't close your terminal yet</strong> as you will need it for HexChat.</p>
<p>Now open your HexChat and press <code>CTRL + S</code> or go to <code>HexChat --> Network list</code> and check the settings for the networks that you use.</p>
<ulclass="incremental">
<li>Use SSL for all the servers on this network.</li>
<li>Make sure that the login method <strong>IS NOT</strong><code>SASL EXTERNAL (cert)</code>, as said previously, it won't work.
<ulclass="incremental">
<li>It appears that HexChat started to want to use it when I added the certificate.</li>
<li>If you use something that wants username, uncheck the <code>Use global user informtion</code> or you must specify the username in the Network List and ZNC won't like it.</li>
</ul></li>
</ul>
<h4id="limnoria">Limnoria</h4>
<p>Insert your .pem file somewhere where the bot can read it and tell your bot to read use it while connecting with</p>
<p><strong>NOTE: This is server specific</strong>. <ahref="https://github.com/ProgVal/Limnoria/issues/612">ProgVal/Limnoria#612 is feature request for global certfiles.</a></p>
<p>Since Limnoria <strong>2014.06.04</strong> global certificate is supported. You can use the <code>version</code> command to check which version you are using.</p>
<p>For instructions to <ahref="https://github.com/ProgVal/Limnoria/blob/testing/INSTALL.md">upgrade Limnoria, please see their INSTALL.md file.</a></p>
<p>I recommend you to <code>/script install iset.pl</code> for easier configuring when you aren't following this.</p>
<p>Put the .pem file somewhere where your WeeChat can access it, preferably <code>~/.weechat</code> or whenever your "WeeChat home" is and run the following commands in WeeChat:</p>
<p>Please read the both parts as you must add the certificate in webadmin or read ZNC documentation on how to add it manually.</p>
<h5id="webadmin">Webadmin</h5>
<p>First login to your webadmin and if you are admin, go to the global settings. Check the checkbox <code>certauth</code>, scroll down and press "Save".</p>
<p>Then go to your settings and check the checkbox <code>cert</code>. You might also want to check the checkbox for <code>sasl</code> and <code>perform</code>. Scroll down and click "Save and return".</p>
<p>Now you should see <code>certauth</code> in global modules where you can specify the fingerprint of the pem file and your IRC client should be able to login to ZNC with it.</p>
<p>You should also see <code>Certificate</code> in user modules. On top of the page it will tell you if you have certificate specified. Open the <code>YOURNICKHERE.pem</code> and copy-paste everything in it to the large box and click <code>Update</code>.</p>
<h5id="irc">IRC</h5>
<pre><code>/znc loadmod --type=global certauth
/znc loadmod --type=user cert
/znc loadmod --type=user perform
/znc loadmod --type=network sasl</code></pre>
<p>This is everything that was done above except adding the certificate which you should do in the webadmin (see the two last paragraphs under webadmin on this page).</p>
<p>(replace that with your own fingerprint!) And nickerv replies to you</p>
<pre><code>14:13:39 -- NickServ: Added fingerprint 05dd01fedc1b821b796d0d785160f03e32f53fa8 to your fingerprint list.</code></pre>
<h3id="testing">Testing</h3>
<p>Now when you connect to freenode and have configured your IRC client to use your new certificate, you should get identified automatically and you should see your certificate by whoising yourself and running cert list with NickServ.</p>
<pre><code>/WHOIS YOURNICK YOURNICK
/MSG NickServ CERT LIST</code></pre>
<p>replies</p>
<pre><code><...>
XX:XX:XX -- [YOURNICK] has client certificate fingerprint 05dd01fedc1b821b796d0d785160f03e32f53fa8
<...>
XX:XX:XX -- NickServ: Fingerprint list for YOURNICK:
<p>This might not work with some networks, but this works with freenode. All IRC clients should support settng password which to use while connecting to server. Set it as <code>username:password</code> for freenode and you are automatically identified when you connect.</p>
<p>Some notes:</p>
<ulclass="incremental">
<li>This is only known to work with freenode.</li>
<li>You aren't identified immediately so as shown in the embedded gist, your real host is visible for people who have you on <code>/monitor</code>.</li>
<p>or whatever syntax the services on your network use.</p>
<p>Some notes:</p>
<ulclass="incremental">
<li>Your real host is still visible for /monitor ing people.</li>
<li>Your client might send that command too late to prevent you from getting to redirect channels for unidentified users and show your real host to everyone.</li>
<li>You might annoy people by joining twice and quitting once with "Changing host".</li>
For corrections above this line, please contact <ahref="../irc.html">me at IRC</a> or fix them by yourself <ahref="https://github.com/Mkaysi/mkaysi.github.io/blob/master/pages/external/identifying.html.md">here</a>. What is below that line is embedded GitHub gist which reads where to contact with issues with it.
