Authentication

From UnrealIRCd documentation wiki
Jump to: navigation, search

UnrealIRCd allows users to authenticate to services before they are online. Normally this is optional, but you can also require authentication so unauthenticated users cannot enter the server. This can be done selectively (eg: only certain IP addresses, only TOR proxy users, etc.) or simply for everyone (if you want a closed chat server).

NOTE: Most of the features documented on this page are only available in UnrealIRCd 4.2.1 and later

How it looks like

If the optional authprompt module is loaded and the user must authenticate, then this will look like:

[11:56:08] -server.test.net- The server requires clients from this IP address to authenticate with a registered nickname and password.
[11:56:08] -server.test.net- Please reconnect using SASL, or authenticate now by typing: /AUTH nick:password
[11:56:08] -server.test.net- If you don't have a registered account then go to https://example.org/

The user can then configure SASL in their IRC client, or they can simply type /AUTH nickname:password

How to setup

To use authentication you need to run a Services package, such as anope, and enable SASL on the server (and in services).

If you are going to use authentication as a way of trust, then you should also pay special attention to your services package features to counter abuse. It is highly recommended to have features enabled such as registration delay, email verification, and so on. Consult your services documentation for details.

Once set up, you may want to enable and configure the authprompt module.

Finally, you configure in UnrealIRCd when people need to authenticate, see below.

Who needs to authenticate?

The server admin can decide and has a number of options available:

Only certain IPs/hosts

If an ISP has a lot of troublemakers then you can require users on *@*.isp.tld to authenticate. This can be done with a Require authentication block which allows to specify an hostmask.

require authentication {
        mask *@*.isp.tld;
        reason "Many troublemakers from this internet provider. Please authenticate.";
};

Everyone

If you want a closed chat server with only authenticated users then you can use the previously mentioned Require authentication block with a mask of *@*

Dynamically on IRC

You can use soft-klines and soft-glines. These are prefixed with a percent sign (%). For example:

/GLINE %*@*.nl 0 I hate Dutch people

This will require authentication for all users matching the *.nl mask.

Blacklisted users

This allows you to require authentication for TOR and (other) proxy users, for example.

First you configure the blacklist module to check an appropriate DNSBL. Then, in the blacklist block, you use an action such as soft-kill, soft-kline and soft-gline.

See also

Since this page is called Authentication, you may be reading this if you are actually looking for something else:

  • See the Oper block if you are looking for how to configure administrators (called IRC Operators in the IRC world)
  • If you are looking for oper::password, vhost::password, etc. authentication types, see Authentication types