View Issue Details

IDProjectCategoryView StatusLast Update
0003247unrealmodule apipublic2015-08-08 16:20
ReporterSakkathAssigned Tosyzop 
PrioritynormalSeverityfeatureReproducibilityN/A
Status resolvedResolutionfixed 
Platformamd64OSGentoo LinuxOS Version2006.1
Product Version3.2.6 
Target VersionFixed in Version3.2.10.4 
Summary0003247: Feature Request
DescriptionWould it be possible to have a feature, either in the link block, or oper block, or SOMETHING (link block would be nice so I could mandate this globally) to make it so a user needs to be using SSL if he/she wants to oper up?

This could be a nice module, I wish I had the time to learn a little bit more C and the UnrealIRCd module syntax, so if anyone else likes the idea and you decide to make it, let me know :D!
TagsNo tags attached.
3rd party modules

Relationships

child of 0003284 acknowledged 3rd Party Module Wishlist 

Activities

aquanight

2007-02-27 22:05

reporter   ~0013241

Last edited: 2007-02-27 22:12

Already doable, sort of.

Have the oper(s) use an SSL client cert. Preferably 1 per oper.
Don't remember the process to making a client cert, but when you do, put the public key on the unreal folder (give the oper his private key - he keeps that under lock and key), then take the path where you stuck the public key and put it in the oper password field like so:

password "path/to/public.key" { sslclientcert; };

The client then configures his client to do SSL authentication and gives the path to private and public keys where needed.

Advantages: the password field to /oper is now redundant (you can just put whatever there, it's ignored, but /oper will whine about not enough params if you leave it out altogether) so opers don't need to remember a password (or worse: put one in their client script. UGH.), /oper is useless if he's not on SSL - he will be rejected because nonsslers have no key attached at all, thus failed auth

If you want to force SSL but stick with user/pass - that's pointless, because if an oper is rejected by non-ssl rule, his user/pass will have still been sent over an insecure connection. Better to use an SSL client cert if you want to force SSL.

edit: forgot to mention, you can do the same thing with all (but one) password fields. For allow::password, the process is the same. For link::password-receive, the only difference is the key used. You use the server keys automatically generated when you first compile unreal for SSL (or if you got proper CA-signed server keys, you'd use those): the public key is by default server.cert.pem (the private key is server.key.pem - which should *not* be copied anywhere, copy only the public key), then put the filename of the other server's public key in link::password-receive. Then password-connect can be junk (this is the only "password" field you can't do this, since it doesn't take any authtype at all, hence the (but one) above), since as with oper password, it's ignored (but still needed to be filled in).

edit2: when I have time, I'll make up proper documentation for this feature.

Sakkath

2007-02-27 22:16

reporter   ~0013242

Thanks a lot. I didn't know that was possible. I don't know if all the opers will like the idea of requiring a client cert, but I'll talk it over with them, it's a nice idea.

I'm just wondering how I can mandate it like I can issue 'quarantine' in the link block. I do indeed trust my opers, but everyone gets lazy sometimes :P.

So how would the user/pass be sent over an insecure connection? All my servers are linked with SSL :D.

I'm not an SSL guru so I don't even understand private key vs. public key and how it all works. I just know it works.

So how can I create a public and private key for my oper to use?

Sakkath

2007-02-27 22:44

reporter   ~0013243

http://www.unrealircd.com/index.php?page=modules&mod=module&id=47

Wow look at that :D!

aquanight: well this request was useless, but I sure did learn a lot! I'm glad I asked! Thanks a lot :-p.

Robby22

2007-02-27 22:51

reporter   ~0013244

Last edited: 2007-02-27 22:52

Perhaps this is what you need/want: http://www.unrealircd.org/index.php?page=modules&mod=module&id=47

Edit: hehe ;) you beat me to it, posting it while I was still writing ;)

Stealth

2007-03-01 11:48

reporter   ~0013249

About making client certs:
http://tspre.org/sslclientcert/

Sakkath

2007-03-01 14:29

reporter   ~0013250

Last edited: 2007-03-01 14:30

Thanks, I'll check that out. I hope it has irssi :D.

Edit: Guess not. I use irssi and have availability to the openssl shell and all of the openssl commands.

Stealth

2007-03-01 20:15

reporter   ~0013252

I believe the commands in the batch files in that zip are the same ones you'd execute from a command prompt in *nix. With irssi, you would need to specify the certificate as part of the connect command.

I have it aliased as:
SSL connect -ssl -ssl_pkey /full/path/to/privkey.pem -ssl_cert /full/path/to/cert.pem $0-

Sakkath

2007-03-01 21:11

reporter   ~0013253

Okay I'll check it out when I get some free time.

WolfSage

2007-04-17 17:26

reporter   ~0013482

Are the modules / methods available sufficient? Or should this be added in? It seems like a nice idea - add a require_ssl oper flag or something similar into conf...

Sakkath

2007-04-17 17:28

reporter   ~0013483

I'm pretty sure m_soper is sufficient. I didn't get it to work yet because I installed a lot of modules at once and it caused UnrealIRCd to crash. I have to slowly put them all in to see which one causes it to crash.

WolfSage

2007-04-17 17:53

reporter   ~0013487

I think this would be good core functionality. I'll try to implement it some time in the next few weeks. If the dev's agree, I'd like to see this added.

Sakkath

2007-04-17 18:34

reporter   ~0013489

Awesome, I made a useful post!

stskeeps

2007-04-18 04:53

reporter   ~0013497

Well, technically we should keep 3rd party market and core market apart, to make it possible for the authors to keep track of their own modules, and to stimulate others into getting other 3rd party modules, so I'm not sure this should be included as core functionality. Maybe mentioned as "cool module"?

WolfSage

2007-04-18 06:52

reporter   ~0013514

aquanight brought up a good argument against this. If someone attempts to oper up without SSL, then their password is already in clear text and can have been compromised. However, since (theoretically) a user will only try this once, this will ensure that from then on they oper up WITH ssl. But since there are modules and certs to handle this, and I don't have any strong feelings towards this, (and there are plenty of legit bugs to fix currently), I think we can leave this one as it is.

Sakkath

2007-04-18 09:36

reporter   ~0013519

Well I still think m_soper works fine =).

Strawberry_Kittens

2008-09-07 17:03

reporter   ~0015401

m_soper crashes with 3.2.7 when someone opers (for me at least)

I would like to see this implemented into the core features. Like completely ignoring /oper if the user is not on SSL.

Stealth

2008-09-07 20:08

reporter   ~0015402

> I would like to see this implemented into the core features. Like completely ignoring /oper if the user is not on SSL.

As mentioned in my forum post (http://forums.unrealircd.com/viewtopic.php?f=3&t=5513) this is already somewhat in the core. To require opers to use SSL to oper, require them to use a SSL cert as the authentication method. This way there is no way they can oper on a plaintext connection, and there is no way their password can be leaked by attempting to oper on plaintext.

Please see read this post on the forums to learn how to set up opers with SSL certs: http://forums.unrealircd.com/viewtopic.php?f=3&t=4181

syzop

2015-08-08 16:19

administrator   ~0018601

This was implemented quite some years ago, I think in 3.2.x series already.. forgot which version.
You simply use oper::require-modes and put 'z' in there.

Issue History

Date Modified Username Field Change
2007-02-27 21:46 Sakkath New Issue
2007-02-27 22:05 aquanight Note Added: 0013241
2007-02-27 22:11 aquanight Note Edited: 0013241
2007-02-27 22:12 aquanight Note Edited: 0013241
2007-02-27 22:16 Sakkath Note Added: 0013242
2007-02-27 22:44 Sakkath Note Added: 0013243
2007-02-27 22:51 Robby22 Note Added: 0013244
2007-02-27 22:52 Robby22 Note Edited: 0013244
2007-03-01 11:48 Stealth Note Added: 0013249
2007-03-01 14:29 Sakkath Note Added: 0013250
2007-03-01 14:30 Sakkath Note Edited: 0013250
2007-03-01 20:15 Stealth Note Added: 0013252
2007-03-01 21:11 Sakkath Note Added: 0013253
2007-04-17 17:26 WolfSage Note Added: 0013482
2007-04-17 17:28 Sakkath Note Added: 0013483
2007-04-17 17:53 WolfSage Note Added: 0013487
2007-04-17 18:34 Sakkath Note Added: 0013489
2007-04-18 04:53 stskeeps Note Added: 0013497
2007-04-18 04:53 stskeeps Status new => acknowledged
2007-04-18 05:53 stskeeps Relationship added child of 0003284
2007-04-18 06:52 WolfSage Note Added: 0013514
2007-04-18 09:36 Sakkath Note Added: 0013519
2008-09-07 17:03 Strawberry_Kittens Note Added: 0015401
2008-09-07 20:08 Stealth Note Added: 0015402
2015-08-08 16:19 syzop Note Added: 0018601
2015-08-08 16:19 syzop Status acknowledged => resolved
2015-08-08 16:19 syzop Fixed in Version => 3.2.10.4
2015-08-08 16:19 syzop Resolution open => fixed
2015-08-08 16:19 syzop Assigned To => syzop
2017-01-06 15:48 syzop Category module => module api