View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0003247 | unreal | module api | public | 2007-02-27 21:46 | 2015-08-08 16:20 |
| Reporter | Sakkath | Assigned To | syzop | ||
| Priority | normal | Severity | feature | Reproducibility | N/A |
| Status | resolved | Resolution | fixed | ||
| Platform | amd64 | OS | Gentoo Linux | OS Version | 2006.1 |
| Product Version | 3.2.6 | ||||
| Fixed in Version | 3.2.10.4 | ||||
| Summary | 0003247: Feature Request | ||||
| Description | Would it be possible to have a feature, either in the link block, or oper block, or SOMETHING (link block would be nice so I could mandate this globally) to make it so a user needs to be using SSL if he/she wants to oper up? This could be a nice module, I wish I had the time to learn a little bit more C and the UnrealIRCd module syntax, so if anyone else likes the idea and you decide to make it, let me know :D! | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
|
|
Already doable, sort of. Have the oper(s) use an SSL client cert. Preferably 1 per oper. Don't remember the process to making a client cert, but when you do, put the public key on the unreal folder (give the oper his private key - he keeps that under lock and key), then take the path where you stuck the public key and put it in the oper password field like so: password "path/to/public.key" { sslclientcert; }; The client then configures his client to do SSL authentication and gives the path to private and public keys where needed. Advantages: the password field to /oper is now redundant (you can just put whatever there, it's ignored, but /oper will whine about not enough params if you leave it out altogether) so opers don't need to remember a password (or worse: put one in their client script. UGH.), /oper is useless if he's not on SSL - he will be rejected because nonsslers have no key attached at all, thus failed auth If you want to force SSL but stick with user/pass - that's pointless, because if an oper is rejected by non-ssl rule, his user/pass will have still been sent over an insecure connection. Better to use an SSL client cert if you want to force SSL. edit: forgot to mention, you can do the same thing with all (but one) password fields. For allow::password, the process is the same. For link::password-receive, the only difference is the key used. You use the server keys automatically generated when you first compile unreal for SSL (or if you got proper CA-signed server keys, you'd use those): the public key is by default server.cert.pem (the private key is server.key.pem - which should *not* be copied anywhere, copy only the public key), then put the filename of the other server's public key in link::password-receive. Then password-connect can be junk (this is the only "password" field you can't do this, since it doesn't take any authtype at all, hence the (but one) above), since as with oper password, it's ignored (but still needed to be filled in). edit2: when I have time, I'll make up proper documentation for this feature. |
|
|
Thanks a lot. I didn't know that was possible. I don't know if all the opers will like the idea of requiring a client cert, but I'll talk it over with them, it's a nice idea. I'm just wondering how I can mandate it like I can issue 'quarantine' in the link block. I do indeed trust my opers, but everyone gets lazy sometimes :P. So how would the user/pass be sent over an insecure connection? All my servers are linked with SSL :D. I'm not an SSL guru so I don't even understand private key vs. public key and how it all works. I just know it works. So how can I create a public and private key for my oper to use? |
|
|
http://www.unrealircd.com/index.php?page=modules&mod=module&id=47 Wow look at that :D! aquanight: well this request was useless, but I sure did learn a lot! I'm glad I asked! Thanks a lot :-p. |
|
|
Perhaps this is what you need/want: http://www.unrealircd.org/index.php?page=modules&mod=module&id=47 Edit: hehe ;) you beat me to it, posting it while I was still writing ;) |
|
|
About making client certs: http://tspre.org/sslclientcert/ |
|
|
Thanks, I'll check that out. I hope it has irssi :D. Edit: Guess not. I use irssi and have availability to the openssl shell and all of the openssl commands. |
|
|
I believe the commands in the batch files in that zip are the same ones you'd execute from a command prompt in *nix. With irssi, you would need to specify the certificate as part of the connect command. I have it aliased as: SSL connect -ssl -ssl_pkey /full/path/to/privkey.pem -ssl_cert /full/path/to/cert.pem $0- |
|
|
Okay I'll check it out when I get some free time. |
|
|
Are the modules / methods available sufficient? Or should this be added in? It seems like a nice idea - add a require_ssl oper flag or something similar into conf... |
|
|
I'm pretty sure m_soper is sufficient. I didn't get it to work yet because I installed a lot of modules at once and it caused UnrealIRCd to crash. I have to slowly put them all in to see which one causes it to crash. |
|
|
I think this would be good core functionality. I'll try to implement it some time in the next few weeks. If the dev's agree, I'd like to see this added. |
|
|
Awesome, I made a useful post! |
|
|
Well, technically we should keep 3rd party market and core market apart, to make it possible for the authors to keep track of their own modules, and to stimulate others into getting other 3rd party modules, so I'm not sure this should be included as core functionality. Maybe mentioned as "cool module"? |
|
|
aquanight brought up a good argument against this. If someone attempts to oper up without SSL, then their password is already in clear text and can have been compromised. However, since (theoretically) a user will only try this once, this will ensure that from then on they oper up WITH ssl. But since there are modules and certs to handle this, and I don't have any strong feelings towards this, (and there are plenty of legit bugs to fix currently), I think we can leave this one as it is. |
|
|
Well I still think m_soper works fine =). |
|
|
m_soper crashes with 3.2.7 when someone opers (for me at least) I would like to see this implemented into the core features. Like completely ignoring /oper if the user is not on SSL. |
|
|
> I would like to see this implemented into the core features. Like completely ignoring /oper if the user is not on SSL. As mentioned in my forum post (http://forums.unrealircd.com/viewtopic.php?f=3&t=5513) this is already somewhat in the core. To require opers to use SSL to oper, require them to use a SSL cert as the authentication method. This way there is no way they can oper on a plaintext connection, and there is no way their password can be leaked by attempting to oper on plaintext. Please see read this post on the forums to learn how to set up opers with SSL certs: http://forums.unrealircd.com/viewtopic.php?f=3&t=4181 |
|
|
This was implemented quite some years ago, I think in 3.2.x series already.. forgot which version. You simply use oper::require-modes and put 'z' in there. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2007-02-27 21:46 | Sakkath | New Issue | |
| 2007-02-27 22:05 | aquanight | Note Added: 0013241 | |
| 2007-02-27 22:11 | aquanight | Note Edited: 0013241 | |
| 2007-02-27 22:12 | aquanight | Note Edited: 0013241 | |
| 2007-02-27 22:16 | Sakkath | Note Added: 0013242 | |
| 2007-02-27 22:44 | Sakkath | Note Added: 0013243 | |
| 2007-02-27 22:51 | Robby22 | Note Added: 0013244 | |
| 2007-02-27 22:52 | Robby22 | Note Edited: 0013244 | |
| 2007-03-01 11:48 | Stealth | Note Added: 0013249 | |
| 2007-03-01 14:29 | Sakkath | Note Added: 0013250 | |
| 2007-03-01 14:30 | Sakkath | Note Edited: 0013250 | |
| 2007-03-01 20:15 | Stealth | Note Added: 0013252 | |
| 2007-03-01 21:11 | Sakkath | Note Added: 0013253 | |
| 2007-04-17 17:26 | WolfSage | Note Added: 0013482 | |
| 2007-04-17 17:28 | Sakkath | Note Added: 0013483 | |
| 2007-04-17 17:53 | WolfSage | Note Added: 0013487 | |
| 2007-04-17 18:34 | Sakkath | Note Added: 0013489 | |
| 2007-04-18 04:53 |
|
Note Added: 0013497 | |
| 2007-04-18 04:53 |
|
Status | new => acknowledged |
| 2007-04-18 05:53 |
|
Relationship added | child of 0003284 |
| 2007-04-18 06:52 | WolfSage | Note Added: 0013514 | |
| 2007-04-18 09:36 | Sakkath | Note Added: 0013519 | |
| 2008-09-07 17:03 | Strawberry_Kittens | Note Added: 0015401 | |
| 2008-09-07 20:08 | Stealth | Note Added: 0015402 | |
| 2015-08-08 16:19 | syzop | Note Added: 0018601 | |
| 2015-08-08 16:19 | syzop | Status | acknowledged => resolved |
| 2015-08-08 16:19 | syzop | Fixed in Version | => 3.2.10.4 |
| 2015-08-08 16:19 | syzop | Resolution | open => fixed |
| 2015-08-08 16:19 | syzop | Assigned To | => syzop |
| 2017-01-06 15:48 | syzop | Category | module => module api |
