From 1ba0d5e04bbee9658ec05716ce6d0cff52d744a8 Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Thu, 17 Jul 2014 18:05:55 +0300 Subject: [PATCH] pages/ext/identifying: multiple updates * remove timestamps * update my SASL mechanism list * remove ZNC explanations for other mechanisms * mention existense of other mechanisms * mention that newer services don't require SASL to have accountname * also mention that they won't be used everywhere in a long time so that should be ignored * Explain SASL EXTERNAL better * Add link to Limnoria's issue about SASL EXTERNAL. * Add reminder about earlier mentioned services * Explain why no to passworded certificates * HexChat: remove warning about SASL EXTERNAL. * Note that it might not work everywhere and HexChat doesn't support multiple authentication methods at the same time. * Remove KiwiIRC link as I didn't get it to work with freenode's instructions. * Limnoria: remove network specific certfp. * Link to install/upgrade guide and mirror. * ZNC: add note about missing webadmin. * Remove warning about giving certfp fingerprint to other people * tell that it shouldn't be done, but some servers show it anyway * 1 - it's the only thing required to add fingerprint to account * Fix typos. --- pages/external/identifying.html | 98 +++++++++++++++------------ pages/external/identifying.html.md | 104 +++++++++++++++-------------- 2 files changed, 111 insertions(+), 91 deletions(-) diff --git a/pages/external/identifying.html b/pages/external/identifying.html index 890d6b7..6482c9f 100755 --- a/pages/external/identifying.html +++ b/pages/external/identifying.html @@ -26,31 +26,34 @@ How to identify to services automatically 
/whois SaslServ SaslServ
 /msg SaslServ help

If the network does support SASL, you should see something like this which freenode gives:

-
XX:XX:XX -- [SaslServ] (SaslServ@services.): SASL Authentication Agent
-XX:XX:XX -- [SaslServ] services. (Atheme IRC Services)
-XX:XX:XX -- [SaslServ] is a Network Service
-XX:XX:XX -- [saslserv] End of WHOIS
-XX:XX:XX -- SaslServ: This service exists to identify connecting clients to the network. It has no public interface.
-

There are different mechanisms for use with SASL. I personally use them in this order with ZNC: PLAIN DH-AES DH-BLOWFISH and EXTERNAL.

+
[SaslServ] (SaslServ@services.): SASL Authentication Agent
+[SaslServ] services. (Atheme IRC Services)
+[SaslServ] is a Network Service
+[saslserv] End of WHOIS
+SaslServ: This service exists to identify connecting clients to the network. It has no public interface.
+

There are different mechanisms for use with SASL. I personally use only two of them with ZNC, EXTERNAL PLAIN.

This is what ZNC 1.5-git-3b01efc says about them:

-
XX:XX:XX < *sasl> +-------------+----------------------------------------------------+
-XX:XX:XX < *sasl> | Mechanism   | Description                                        |
-XX:XX:XX < *sasl> +-------------+----------------------------------------------------+
-XX:XX:XX < *sasl> | EXTERNAL    | TLS certificate, for use with the *cert module     |
-XX:XX:XX < *sasl> | DH-BLOWFISH | Secure negotiation using the DH-BLOWFISH mechanism |
-XX:XX:XX < *sasl> | DH-AES      | More secure negotiation using the DH-AES mechanism |
-XX:XX:XX < *sasl> | PLAIN       | Plain text negotiation                             |
-XX:XX:XX < *sasl> +-------------+----------------------------------------------------+
+
< *sasl> +-------------+----------------------------------------------------+
+< *sasl> | Mechanism   | Description                                        |
+< *sasl> +-------------+----------------------------------------------------+
+< *sasl> | EXTERNAL    | TLS certificate, for use with the *cert module     |
+< *sasl> | PLAIN       | Plain text negotiation                             |
+< *sasl> +-------------+----------------------------------------------------+

Some notes:

Using SASL with your client or bouncer

Remember that I use all of these methods (SASL, CertFP, username:password, automatic command).

@@ -62,6 +65,7 @@ XX:XX:XX < *sasl> +-------------+-----------------------------------------

Limnoria supports SASL by default without any plugins.

config networks.<network>.sasl.username NSACCOUNTNAME
 config networks.<network>.sasl.password NSPASSWORD
+

There is an feature request about SASL external.

WeeChat

WeeChat supports SASL by default when you configure it. It can be configured globally or per network. You should do both.

Global configuration

@@ -84,14 +88,17 @@ config networks.<network>.sasl.password NSPASSWORD

ZNC

/znc loadmod sasl
-/znc *sasl mechanism plain dh-aes dh-blowfish external
+/znc *sasl mechanism external plain
 /znc *sasl requireauth no
 /znc *sasl set NSACCOUNTNAME NSPASSWORD
  1. Loads the sasl module.
  2. Sets the mechanism list (where others than plain are useless as if plain doesn't work, others most probably won't work either).
  3. Makes you able to connect to network even if SASL fails as I expect you to also have CertFP configured which will identify you when services return.
    4. -
  4. Sets the details which ZNC uses to identify you.
    5. +
  5. Sets the details which ZNC uses to identify you. +
      +
    • Remember what I said about older services earlier.
      • +

CertFP

CertFP identifies you using SSL certificate which you must generate and add to your NickServ account.

@@ -109,7 +116,7 @@ config networks.<network>.sasl.password NSPASSWORD

Generating the certificate

-

Open terminal and run this command and replace YOURNICKNAMEHERE.pem with your nickname or something else which makes you know what it is (DO NOT SET PASSWORD FOR IT OR YOUR CLIENT MIGHT NOT BE ABLE TO USE IT):

+

Open terminal and run this command and replace YOURNICKNAMEHERE.pem with your nickname or something else which makes you know what it is (DO NOT SET PASSWORD FOR IT OR YOUR CLIENT MIGHT NOT BE ABLE TO USE IT): * Most of people are having ZNC and Limnoria starting automatically and asking password isn't a good idea with them. * If they asked passwords, your bot and ZNC would always be down if they crashed and cron or init-system or whatever asked for password…

openssl req -nodes -newkey rsa:4096 -keyout YOURNICKNAMEHERE.pem -x509 -days 3650 -out YOURNICKNAMEHERE.pem -subj "/CN=Your Nickname"

This gives us file YOURNICKNAMEHERE.pem which you must give to your IRC client which is valid for 10 years and must be regenerated at least every 10 years or whatever you specify in -days.

Oh, and don't close your terminal yet as you will need it for HexChat.

@@ -121,9 +128,8 @@ cp YOURNICKNAMEHERE.pem ~/.config/hexchat/certs/client.pem

Now open your HexChat and press CTRL + S or go to HexChat --> Network list and check the settings for the networks that you use.

@@ -133,17 +139,15 @@ cp YOURNICKNAMEHERE.pem ~/.config/hexchat/certs/client.pem cp YOURNICKNAMEHERE.pem %appdata%\hexchat\certs\client.pem

If you use portable HexChat (the option in setup), create a folder certs under the config directory and copy YOURNICKNAMEHERE.pem there and rename it to client.pem.

You can now return to below the three *nix commands to the part which you skipped to check your settings.

-

KVIrc

-

freenode has full instructions on doing this here.

Limnoria

-

Insert your .pem file somewhere where the bot can read it and tell your bot to read use it while connecting with

-
config networks.<network>.certfile /full/path/to/pem.file
-

NOTE: This is server specific. ProgVal/Limnoria#612 is feature request for global certfiles.

-
testing branch
-

Since Limnoria 2014.06.08 (master) global certificate is supported. You can use the version command to check which version you are using.

+

Insert your .pem file somewhere where the bot can read it and tell your bot to use it while connecting with

config protocols.irc.certfile /full/path/to/pem.file
-

For instructions to upgrade Limnoria, please see their INSTALL.md file.

-

WeeChat

+

I recommend you to /script install iset.pl for easier configuring when you aren't following this.

Put the .pem file somewhere where your WeeChat can access it, preferably ~/.weechat or whenever your "WeeChat home" is and run the following commands in WeeChat:

/set irc.server_default.ssl_cert %h/YOURNICKNAMEHERE.pem"
@@ -159,6 +163,17 @@ cp YOURNICKNAMEHERE.pem %appdata%\hexchat\certs\client.pem

ZNC

Please read the both parts as you must add the certificate in webadmin or read ZNC documentation on how to add it manually.

Webadmin
+

If you don't have webadmin loaded you have two options:

+

First login to your webadmin and if you are admin, go to the global settings. Check the checkbox certauth, scroll down and press "Save".

Then go to your settings and check the checkbox cert. You might also want to check the checkbox for sasl and perform. Scroll down and click "Save and return".

Now you should see certauth in global modules where you can specify the fingerprint of the pem file and your IRC client should be able to login to ZNC with it.

@@ -166,33 +181,34 @@ cp YOURNICKNAMEHERE.pem %appdata%\hexchat\certs\client.pem
IRC
/znc loadmod --type=global certauth
 /znc loadmod --type=user cert
+/znc loadmod --type=network perform
 /znc loadmod --type=user perform
 /znc loadmod --type=network sasl

This is everything that was done above except adding the certificate which you should do in the webadmin (see the two last paragraphs under webadmin on this page).

Telling NickServ about your key

NickServ wants to know the fingerprint which you can get with the following command:

openssl x509 -sha1 -noout -fingerprint -in YOURNICKNAMEHERE.pem | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/'
-

which returns your fingerprint (WHICH YOU MUST NOT SHARE WITH ANYONE)

+

which returns your fingerprint (which is the only thing required to add your key to services database, but some networks show this in whois).

05dd01fedc1b821b796d0d785160f03e32f53fa8

Now you can tell to NickServ about it.

/msg NickServ CERT ADD 05dd01fedc1b821b796d0d785160f03e32f53fa8

(replace that with your own fingerprint!) And nickerv replies to you

-
14:13:39 -- NickServ: Added fingerprint 05dd01fedc1b821b796d0d785160f03e32f53fa8 to your fingerprint list.
+
NickServ: Added fingerprint 05dd01fedc1b821b796d0d785160f03e32f53fa8 to your fingerprint list.

Testing

Now when you connect to freenode and have configured your IRC client to use your new certificate, you should get identified automatically and you should see your certificate by whoising yourself and running cert list with NickServ.

/WHOIS YOURNICK YOURNICK
 /MSG NickServ CERT LIST

replies

<...>
-XX:XX:XX -- [YOURNICK] has client certificate fingerprint 05dd01fedc1b821b796d0d785160f03e32f53fa8
+[YOURNICK] has client certificate fingerprint 05dd01fedc1b821b796d0d785160f03e32f53fa8
 <...>
-XX:XX:XX -- NickServ: Fingerprint list for YOURNICK:
-XX:XX:XX -- NickServ: - 05dd01fedc1b821b796d0d785160f03e32f53fa8$$
-XX:XX:XX -- NickServ: End of YOURNICK fingerprint list.
+NickServ: Fingerprint list for YOURNICK: +NickServ: - 05dd01fedc1b821b796d0d785160f03e32f53fa8$$ +NickServ: End of YOURNICK fingerprint list.

Notes