NOTE: This might be heavily freenode-specific, but these things should work with other networks too, at least SASL and CertFP.
I will document the four different methods to identify to services which I use by myself. I use all of these at the same time.
There isn't much to say about SASL as it's easy to configure as long as your IRC client supports it. SASL identifies you before logging in, but it won't help you in case services are down. The easiest way to check does the network where you are support SASL is probably to whois or message or both to the SaslServ.
/whois SaslServ SaslServ
/msg SaslServ help
If the network does support SASL, you should see something like this which freenode gives:
XX:XX:XX -- [SaslServ] (SaslServ@services.): SASL Authentication Agent
XX:XX:XX -- [SaslServ] services. (Atheme IRC Services)
XX:XX:XX -- [SaslServ] is a Network Service
XX:XX:XX -- [saslserv] End of WHOIS
XX:XX:XX -- SaslServ: This service exists to identify connecting clients to the network. It has no public interface.
There are different mechanisms for use with SASL. I personally use them in this order with ZNC: PLAIN DH-AES DH-BLOWFISH and EXTERNAL
.
This is what ZNC 1.5-git-3b01efc says about them:
XX:XX:XX < *sasl> +-------------+----------------------------------------------------+
XX:XX:XX < *sasl> | Mechanism | Description |
XX:XX:XX < *sasl> +-------------+----------------------------------------------------+
XX:XX:XX < *sasl> | EXTERNAL | TLS certificate, for use with the *cert module |
XX:XX:XX < *sasl> | DH-BLOWFISH | Secure negotiation using the DH-BLOWFISH mechanism |
XX:XX:XX < *sasl> | DH-AES | More secure negotiation using the DH-AES mechanism |
XX:XX:XX < *sasl> | PLAIN | Plain text negotiation |
XX:XX:XX < *sasl> +-------------+----------------------------------------------------+
Some notes:
Remember that I use all of these methods (SASL, CertFP, username:password, automatic command).
Press CTRL + S
or go to HexChat --> Network list
and select the network where you want to use SASL and click Edit
.
If you want to specify server specific username, uncheck the Use global user information
checkbox.
Change the Login method:
from Default
to `SASL (username + password) and type your username and password. If you don't uncheck the box, you must specify the username in network list.
Limnoria supports SASL by default without any plugins.
config networks.<network>.sasl.username NSACCOUNTNAME
config networks.<network>.sasl.password NSPASSWORD
WeeChat supports SASL by default when you configure it. It can be configured globally or per network. You should do both.
/set irc.server.default.ssl on
/set irc.server_default.ssl_dhkey_size 1024
/set irc.server_default.sasl.mechanism plain
/set irc.server_default.sasl.username <USERNAME>
/set irc.server.<network>.sasl_username <USERNAME>
/set irc.server.<network>.sasl_password <PASSWORD>
/znc loadmod sasl
/znc *sasl mechanism plain dh-aes dh-blowfish external
/znc *sasl requireauth no
/znc *sasl set NSACCOUNTNAME NSPASSWORD
CertFP identifies you using SSL certificate which you must generate and add to your NickServ account.
You can use this command at IRC to check if the network supports certfp.
/msg NickServ help cert
I am not sure how this happens on Windows, so you might need to look for that information elsewhere unless someone decides to help me and tell how does it happen. I am going to tell about OpenSSL.
All commands here work mostly if you instll msysgit with the option below. Oh and you must also change the paths.
Download it and run the installer.
THIS IS THE MOST IMPORTANT PART! — `Adjusting your PATH environment.
Use Git and optional Unix tools from the Windows Command Path
Open terminal and run this command and replace YOURNICKNAMEHERE.pem with your nickname or something else which makes you know what it is (DO NOT SET PASSWORD FOR IT OR YOUR CLIENT MIGHT NOT BE ABLE TO USE IT):
openssl req -nodes -newkey rsa:4096 -keyout YOURNICKNAMEHERE.pem -x509 -days 3650 -out YOURNICKNAMEHERE.pem -subj "/CN=Your Nickname"
This gives us file YOURNICKNAMEHERE.pem
which you must give to your IRC client which is valid for 10 years and must be regenerated at least every 10 years or whatever you specify in -days
.
Oh, and don't close your terminal yet as you will need it for HexChat.
Create a folder "certs" to your HexChat config and copy the .pem file there and copy and rename it as client.pem
. Windows users: skip the following two commands and go under topic "Windows" below.
mkdir -p ~/.config/hexchat/certs/
cp YOURNICKNAMEHERE.pem ~/.config/hexchat/certs/client.pem
Now open your HexChat and press CTRL + S
or go to HexChat --> Network list
and check the settings for the networks that you use.
SASL EXTERNAL (cert)
, as said previously, it won't work.
Use global user informtion
or you must specify the username in the Network List and ZNC won't like it.If you followed my instructions with msysgit setup, you can now run the following and it works.
mkdir -p %appdata%\hexchat\certs
cp YOURNICKNAMEHERE.pem %appdata%\hexchat\certs\client.pem
If you use portable HexChat (the option in setup), create a folder certs
under the config
directory and copy YOURNICKNAMEHERE.pem there and rename it to client.pem
.
You can now return to below the three *nix commands to the part which you skipped to check your settings.
freenode has full instructions on doing this here.
Insert your .pem file somewhere where the bot can read it and tell your bot to read use it while connecting with
config networks.<network>.certfile /full/path/to/pem.file
NOTE: This is server specific. ProgVal/Limnoria#612 is feature request for global certfiles.
Since Limnoria 2014.06.08 (master) global certificate is supported. You can use the version
command to check which version you are using.
config protocols.irc.certfile /full/path/to/pem.file
For instructions to upgrade Limnoria, please see their INSTALL.md file.
I recommend you to /script install iset.pl
for easier configuring when you aren't following this.
Put the .pem file somewhere where your WeeChat can access it, preferably ~/.weechat
or whenever your "WeeChat home" is and run the following commands in WeeChat:
/set irc.server_default.ssl_cert %h/YOURNICKNAMEHERE.pem"
/set irc.server_default.ssl on
/set irc.server_default.ssl_dhkey_size 1024
/set irc.server_default.ssl_verify on
dhkey_size
to 1024
(required by some networks like freenode).Please read the both parts as you must add the certificate in webadmin or read ZNC documentation on how to add it manually.
First login to your webadmin and if you are admin, go to the global settings. Check the checkbox certauth
, scroll down and press "Save".
Then go to your settings and check the checkbox cert
. You might also want to check the checkbox for sasl
and perform
. Scroll down and click "Save and return".
Now you should see certauth
in global modules where you can specify the fingerprint of the pem file and your IRC client should be able to login to ZNC with it.
You should also see Certificate
in user modules. On top of the page it will tell you if you have certificate specified. Open the YOURNICKHERE.pem
and copy-paste everything in it to the large box and click Update
.
/znc loadmod --type=global certauth
/znc loadmod --type=user cert
/znc loadmod --type=user perform
/znc loadmod --type=network sasl
This is everything that was done above except adding the certificate which you should do in the webadmin (see the two last paragraphs under webadmin on this page).
NickServ wants to know the fingerprint which you can get with the following command:
openssl x509 -sha1 -noout -fingerprint -in YOURNICKNAMEHERE.pem | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/'
which returns your fingerprint (WHICH YOU MUST NOT SHARE WITH ANYONE)
05dd01fedc1b821b796d0d785160f03e32f53fa8
Now you can tell to NickServ about it.
/msg NickServ CERT ADD 05dd01fedc1b821b796d0d785160f03e32f53fa8
(replace that with your own fingerprint!) And nickerv replies to you
14:13:39 -- NickServ: Added fingerprint 05dd01fedc1b821b796d0d785160f03e32f53fa8 to your fingerprint list.
Now when you connect to freenode and have configured your IRC client to use your new certificate, you should get identified automatically and you should see your certificate by whoising yourself and running cert list with NickServ.
/WHOIS YOURNICK YOURNICK
/MSG NickServ CERT LIST
replies
<...>
XX:XX:XX -- [YOURNICK] has client certificate fingerprint 05dd01fedc1b821b796d0d785160f03e32f53fa8
<...>
XX:XX:XX -- NickServ: Fingerprint list for YOURNICK:
XX:XX:XX -- NickServ: - 05dd01fedc1b821b796d0d785160f03e32f53fa8$$
XX:XX:XX -- NickServ: End of YOURNICK fingerprint list.
-days
part in the openssl command.This might not work with some networks, but this works with freenode. All IRC clients should support settng password which to use while connecting to server. Set it as username:password
for freenode and you are automatically identified when you connect.
Some notes:
/monitor
.This works with probably every client. They support setting commands that are automatically run as you connect and you can set the command
/msg NickServ identify username password
or whatever syntax the services on your network use.
Some notes: