mikaela.github.io/pages/external/identifying.html

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" /> <!-- <meta http-equiv="refresh" content="60" /> --> <meta name="description" content="Instructions for identifying to services on various IRC networks." /> <meta name="keywords" content="freenode IRC SASL CertFP client bouncer HexChat Limnoria Supybot WeeChat ZNC plain dh-aes dh-blowfish external openssl msysgit Unix Linux Windows SSL certificate Services NickServ server network security cloak" /> <meta name="author" content="Mikaela Suomalainen" /> <link rel="canonical" href="https://mkaysi.github.io/pages/external/identifying.html">
<title>
How to identify to services automatically
</title>
<link rel="stylesheet" type="text/css" href="../../css.css" />
<script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
    (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
      m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
        })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

          ga('create', 'UA-40171169-1', 'mkaysi.github.io');
            ga('send', 'pageview');

            </script>
</head>
<body>

<p><strong>NOTE: This might be heavily freenode-specific, but these things should work with other networks too, at least SASL and CertFP.</strong></p>
<p>I will document the four different methods to identify to services which I use by myself. <strong>I use all of these at the same time.</strong></p>
<h2 id="sasl">SASL</h2>
<p>There isn't much to say about SASL as it's easy to configure as long as your IRC client supports it. SASL identifies you before logging in, but it won't help you in case services are down. The easiest way to check does the network where you are support SASL is probably to whois or message or both to the SaslServ.</p>
<pre><code>/whois SaslServ SaslServ
/msg SaslServ help</code></pre>
<p>If the network does support SASL, you should see something like this which freenode gives:</p>
<pre><code>[SaslServ] (SaslServ@services.): SASL Authentication Agent
[SaslServ] services. (Atheme IRC Services)
[SaslServ] is a Network Service
[saslserv] End of WHOIS
SaslServ: This service exists to identify connecting clients to the network. It has no public interface.</code></pre>
<p>There are different mechanisms for use with SASL. I personally use only two of them with ZNC, <code>EXTERNAL PLAIN</code>.</p>
<p>This is what ZNC 1.5-git-3b01efc says about them:</p>
<pre><code>&lt; *sasl&gt; +-------------+----------------------------------------------------+
&lt; *sasl&gt; | Mechanism   | Description                                        |
&lt; *sasl&gt; +-------------+----------------------------------------------------+
&lt; *sasl&gt; | EXTERNAL    | TLS certificate, for use with the *cert module     |
&lt; *sasl&gt; | PLAIN       | Plain text negotiation                             |
&lt; *sasl&gt; +-------------+----------------------------------------------------+</code></pre>
<p>Some notes:</p>
<ul class="incremental">
<li>ZNC has other supported Mechanisms too, those are only what I use.</li>
<li><strong>You must use your accountname as username</strong>.
<ul class="incremental">
<li>Only applies to older services (and you can probably trust them to be actively used for years, so do this even if it's nor required).</li>
</ul></li>
<li>PLAIN is plain text as it says, so if you use it like I do, you should use SSL.
<ul class="incremental">
<li>This won't help you when services are down.</li>
</ul></li>
<li>EXTERNAL works together with CertFP and doesn't need username nor password. It tells server about certificate and identifies you before you are visible. Even if SASL EXTERNAL fails, your certificate will identify you.
<ul class="incremental">
<li>I recommend having <code>EXTERNAL</code> as primary SASL mechanism and <code>PLAIN</code> as secondary if supported by your client. This is supported by ZNC.</li>
</ul></li>
</ul>
<h3 id="using-sasl-with-your-client-or-bouncer">Using SASL with your client or bouncer</h3>
<p>Remember that I use all of these methods (SASL, CertFP, username:password, automatic command).</p>
<h3 id="hexchat">HexChat</h3>
<p>Press <code>CTRL + S</code> or go to <code>HexChat --&gt; Network list</code> and select the network where you want to use SASL and click <code>Edit</code>.</p>
<p>If you want to specify server specific username, uncheck the <code>Use global user information</code> checkbox.</p>
<p>Change the <code>Login method:</code> from <code>Default</code> to `SASL (username + password) and type your username and password. If you don't uncheck the box, you must specify the username in network list.</p>
<h3 id="limnoria">Limnoria</h3>
<p>Limnoria supports SASL by default without any plugins.</p>
<pre><code>config networks.&lt;network&gt;.sasl.username NSACCOUNTNAME
config networks.&lt;network&gt;.sasl.password NSPASSWORD</code></pre>
<p><a href="https://github.com/ProgVal/Limnoria/issues/781">There is an feature request about SASL external.</a></p>
<h3 id="weechat">WeeChat</h3>
<p>WeeChat supports SASL by default when you configure it. It can be configured globally or per network. You should do both.</p>
<h4 id="global-configuration">Global configuration</h4>
<pre><code>/set irc.server.default.ssl on
/set irc.server_default.ssl_dhkey_size 1024
/set irc.server_default.sasl.mechanism plain
/set irc.server_default.sasl.username &lt;USERNAME&gt;</code></pre>
<ol class="incremental" style="list-style-type: decimal">
<li>Enables SSL by default for all connections unless otherwise specified which is in the next section. You do want this if you use the third command like I do which makes the password be sent in plain text.</li>
<li>Fixes issues with connecting to freenode with SSL.</li>
<li>Sets the password to be sent in plain text (this is why you want SSL). Plain text should be supported by every network that supports SASL.</li>
<li>Sets the default SASL username in case you have mostly same account name in most of the networks which you are connected to.</li>
</ol>
<h4 id="network-specific-configuration">Network specific configuration</h4>
<pre><code>/set irc.server.&lt;network&gt;.sasl_username &lt;USERNAME&gt;
/set irc.server.&lt;network&gt;.sasl_password &lt;PASSWORD&gt;</code></pre>
<ol class="incremental" style="list-style-type: decimal">
<li>Sets the SASL username in case it's different that globally configured.</li>
<li>Sets the password which is used with SASL.</li>
</ol>
<h3 id="znc">ZNC</h3>
<pre><code>/znc loadmod sasl
/znc *sasl mechanism external plain
/znc *sasl requireauth no
/znc *sasl set NSACCOUNTNAME NSPASSWORD</code></pre>
<ol class="incremental" style="list-style-type: decimal">
<li>Loads the sasl module.</li>
<li>Sets the mechanism list (where others than plain are useless as if plain doesn't work, others most probably won't work either).</li>
<li>Makes you able to connect to network even if SASL fails as I expect you to also have CertFP configured which will identify you when services return.</li>
<li>Sets the details which ZNC uses to identify you.
<ul class="incremental">
<li>Remember what I said about older services earlier.</li>
</ul></li>
</ol>
<h2 id="certfp">CertFP</h2>
<p>CertFP identifies you using SSL certificate which you must generate and add to your NickServ account.</p>
<p>You can use this command at IRC to check if the network supports certfp.</p>
<pre><code>/msg NickServ help cert</code></pre>
<p>I am not sure how this happens on Windows, so you might need to look for that information elsewhere unless someone decides to help me and tell how does it happen. I am going to tell about OpenSSL.</p>
<h4 id="windows">Windows</h4>
<p>All commands here work mostly if you instll <a href="https://msysgit.github.io/">msysgit</a> with the option below. Oh and you must also change the paths.</p>
<p>Download it and run the installer.</p>
<p><strong>THIS IS THE MOST IMPORTANT PART!</strong> — `Adjusting your PATH environment.</p>
<ul class="incremental">
<li>**<code>Use Git and optional Unix tools from the Windows Command Path</code>
<ul class="incremental">
<li>If you don't select this, you must reinstall or you aren't able to use all of the commands.</li>
</ul></li>
</ul>
<h3 id="generating-the-certificate">Generating the certificate</h3>
<p>Open terminal and run this command and replace YOURNICKNAMEHERE.pem with your nickname or something else which makes you know what it is (<strong>DO NOT SET PASSWORD FOR IT OR YOUR CLIENT MIGHT NOT BE ABLE TO USE IT</strong>): * Most of people are having ZNC and Limnoria starting automatically and asking password isn't a good idea with them. * If they asked passwords, your bot and ZNC would always be down if they crashed and cron or init-system or whatever asked for password…</p>
<pre><code>openssl req -nodes -newkey rsa:4096 -keyout YOURNICKNAMEHERE.pem -x509 -days 3650 -out YOURNICKNAMEHERE.pem -subj &quot;/CN=Your Nickname&quot;</code></pre>
<p>This gives us file <code>YOURNICKNAMEHERE.pem</code> which you must give to your IRC client which is valid for 10 years and must be regenerated at least every 10 years or whatever you specify in <code>-days</code>.</p>
<p>Oh, and <strong>don't close your terminal yet</strong> as you will need it for HexChat.</p>
<h3 id="telling-your-client-or-bouncer-to-use-the-cert.">Telling your client (or bouncer to use the cert).</h3>
<h4 id="hexchat-1">HexChat</h4>
<p>Create a folder &quot;certs&quot; to your HexChat config and copy the .pem file there and copy and rename it as <code>client.pem</code>. Windows users: skip the following two commands and go under topic &quot;Windows&quot; below.</p>
<pre><code>mkdir -p ~/.config/hexchat/certs/
cp YOURNICKNAMEHERE.pem ~/.config/hexchat/certs/client.pem</code></pre>
<p>Now open your HexChat and press <code>CTRL + S</code> or go to <code>HexChat --&gt; Network list</code> and check the settings for the networks that you use.</p>
<ul class="incremental">
<li>Use SSL for all the servers on this network.</li>
<li>Note: if mechanism is SASL EXTERNAL, some services might not identify you using SASL. HexChat doesn't support multiple SASL mechanisms.
<ul class="incremental">
<li>If you use something that wants username, uncheck the <code>Use global user informtion</code> or you must specify the username in the Network List and ZNC won't like it.</li>
</ul></li>
</ul>
<h5 id="windows-1">Windows</h5>
<p>If you followed my instructions with msysgit setup, you can now run the following and it works.</p>
<pre><code>mkdir -p %appdata%\hexchat\certs
cp YOURNICKNAMEHERE.pem %appdata%\hexchat\certs\client.pem</code></pre>
<p>If you use portable HexChat (the option in setup), create a folder <code>certs</code> under the <code>config</code> directory and copy YOURNICKNAMEHERE.pem there and rename it to <code>client.pem</code>.</p>
<p>You can now return to below the three *nix commands to the part which you skipped to check your settings.</p>
<h4 id="limnoria-1">Limnoria</h4>
<p>Insert your .pem file somewhere where the bot can read it and tell your bot to use it while connecting with</p>
<pre><code>config protocols.irc.certfile /full/path/to/pem.file</code></pre>
<ul class="incremental">
<li><a href="http://supybot.aperio.fr/doc/use/install.html">Limnoria's install/upgrade guide</a>
<ul class="incremental">
<li><a href="http://limnoria-doc.readthedocs.org/en/latest/use/install.html">Mirror</a> #### WeeChat</li>
</ul></li>
</ul>
<p>I recommend you to <code>/script install iset.pl</code> for easier configuring when you aren't following this.</p>
<p>Put the .pem file somewhere where your WeeChat can access it, preferably <code>~/.weechat</code> or whenever your &quot;WeeChat home&quot; is and run the following commands in WeeChat:</p>
<pre><code>/set irc.server_default.ssl_cert %h/YOURNICKNAMEHERE.pem&quot;
/set irc.server_default.ssl on
/set irc.server_default.ssl_dhkey_size 1024
/set irc.server_default.ssl_verify on</code></pre>
<ol class="incremental" style="list-style-type: decimal">
<li>Specifies where is the .pem file for all networks that don't have it invidually specified.</li>
<li>Enables SSL for all networks by default unless otherwise configured.</li>
<li>Sets <code>dhkey_size</code> to <code>1024</code> (required by some networks like freenode).</li>
<li>Disables verifying the certificates (required for self-signed certificates and I think that applies to our certificate too).</li>
</ol>
<h4 id="znc-1">ZNC</h4>
<p>Please read the both parts as you must add the certificate in webadmin or read ZNC documentation on how to add it manually.</p>
<h5 id="webadmin">Webadmin</h5>
<p>If you don't have webadmin loaded you have two options:</p>
<ul class="incremental">
<li>As admin (recommended): <code>/msg *status loadmod --type=global webadmin</code>
<ul class="incremental">
<li>Allows everyone to login to webadmin.</li>
</ul></li>
<li>As normal user (only if you aren't admin) <code>/msg *status loadmod -type=user webadmin</code>
<ul class="incremental">
<li>Allows only you to login to webadmin and you will get questions on why users cannot login there and you must either load it globally or tell them to do this and both just cause confusion.</li>
</ul></li>
</ul>
<p>First login to your webadmin and if you are admin, go to the global settings. Check the checkbox <code>certauth</code>, scroll down and press &quot;Save&quot;.</p>
<p>Then go to your settings and check the checkbox <code>cert</code>. You might also want to check the checkbox for <code>sasl</code> and <code>perform</code>. Scroll down and click &quot;Save and return&quot;.</p>
<p>Now you should see <code>certauth</code> in global modules where you can specify the fingerprint of the pem file and your IRC client should be able to login to ZNC with it.</p>
<p>You should also see <code>Certificate</code> in user modules. On top of the page it will tell you if you have certificate specified. Open the <code>YOURNICKHERE.pem</code> and copy-paste everything in it to the large box and click <code>Update</code>.</p>
<h5 id="irc">IRC</h5>
<pre><code>/znc loadmod --type=global certauth
/znc loadmod --type=user cert
/znc loadmod --type=network perform
/znc loadmod --type=user perform
/znc loadmod --type=network sasl</code></pre>
<p>This is everything that was done above except adding the certificate which you should do in the webadmin (see the two last paragraphs under webadmin on this page).</p>
<h3 id="telling-nickserv-about-your-key">Telling NickServ about your key</h3>
<p>NickServ wants to know the fingerprint which you can get with the following command:</p>
<pre><code>openssl x509 -sha1 -noout -fingerprint -in YOURNICKNAMEHERE.pem | sed -e &#39;s/^.*=//;s/://g;y/ABCDEF/abcdef/&#39;</code></pre>
<p>which returns your fingerprint (which is the only thing required to add your key to services database, but some networks show this in whois).</p>
<pre><code>05dd01fedc1b821b796d0d785160f03e32f53fa8</code></pre>
<p>Now you can tell to NickServ about it.</p>
<pre><code>/msg NickServ CERT ADD 05dd01fedc1b821b796d0d785160f03e32f53fa8</code></pre>
<p>(replace that with your own fingerprint!) And nickerv replies to you</p>
<pre><code>NickServ: Added fingerprint 05dd01fedc1b821b796d0d785160f03e32f53fa8 to your fingerprint list.</code></pre>
<h3 id="testing">Testing</h3>
<p>Now when you connect to freenode and have configured your IRC client to use your new certificate, you should get identified automatically and you should see your certificate by whoising yourself and running cert list with NickServ.</p>
<pre><code>/WHOIS YOURNICK YOURNICK
/MSG NickServ CERT LIST</code></pre>
<p>replies</p>
<pre><code>&lt;...&gt;
[YOURNICK] has client certificate fingerprint 05dd01fedc1b821b796d0d785160f03e32f53fa8
&lt;...&gt;
NickServ: Fingerprint list for YOURNICK:
NickServ: - 05dd01fedc1b821b796d0d785160f03e32f53fa8$$
NickServ: End of YOURNICK fingerprint list.</code></pre>
<h3 id="notes">Notes</h3>
<ul class="incremental">
<li>You must recreate your certificate as specified by the <code>-days</code> part in the openssl command.</li>
<li>This won't identify you immediately so you are still visible to /monitor.</li>
<li>This will identify you after services return unlike other methods if you happen to be on splitted server without services.</li>
<li>Supported networks which I am on:
<ul class="incremental">
<li>freenode</li>
<li>oftc</li>
<li>piratenet</li>
</ul></li>
</ul>
<h2 id="server-password">Server password</h2>
<p>This might not work with some networks, but this works with freenode. All IRC clients should support settng password which to use while connecting to server. Set it as <code>username:password</code> for freenode and you are automatically identified when you connect.</p>
<p>Some notes:</p>
<ul class="incremental">
<li>This is only known to work with freenode.</li>
<li>You aren't identified immediately so as shown in the embedded gist, your real host is visible for people who have you on <code>/monitor</code>.</li>
<li>This won't help you if services go down.</li>
</ul>
<h2 id="automatic-command">Automatic command</h2>
<p>This works with probably every client. They support setting commands that are automatically run as you connect and you can set the command</p>
<pre><code>/msg NickServ identify username password</code></pre>
<p>or whatever syntax the services on your network use.</p>
<p>Some notes:</p>
<ul class="incremental">
<li>Your real host is still visible for /monitor ing people.</li>
<li>Your client might send that command too late to prevent you from getting to redirect channels for unidentified users and show your real host to everyone.</li>
<li>You might annoy people by joining twice and quitting once with &quot;Changing host&quot;.</li>
</ul>
<hr/>
For corrections above this line, please contact <a href="../irc.html">me at IRC</a> or fix them by yourself <a href="https://github.com/Mkaysi/mkaysi.github.io/blob/master/pages/external/identifying.html.md">here</a>. What is below that line is embedded GitHub gist which reads where to contact with issues with it.
<hr/>
<script src="https://gist.github.com/maxanton/1e2cf7ada079c271bd3c.js"></script>
<hr/>
<hr/>
<script>
var idcomments_acct = '2405e74b7c1c8062b1b2ea830f1a8bd0';
var idcomments_post_id;
var idcomments_post_url;
</script>
<span id="IDCommentsPostTitle" style="display:none"></span>
<script type='text/javascript' src='http://www.intensedebate.com/js/genericCommentWrapperV2.js'></script>

</body>
</html>
<!-- vim : set ft=markdown-->