Authentication types

From UnrealIRCd documentation wiki
Jump to: navigation, search
This page contains changes which are not marked for translation.

Other languages:
English • ‎français

At various places in the configuration file, for example the Oper block, Vhost block, Link block and Allow block you can authenticate clients by password or other means. You can specify the password as plaintext, but you can also specify an "authentication type".

Available auth-types

The following auth-types are available:

Auth-type Description Security level How to generate
none Plaintext / cleartext password Bad Plaintext password directly in the config. Not recommended.
md5 MD5 with salt Deprecated Deprecated. Do not use.
sha1 SHA1 with salt Deprecated Deprecated. Do not use.
ripemd160 RIPEMD160 with salt Deprecated Deprecated. Do not use.
crypt UNIX crypt. The exact hashing algorithm depends on the type of crypt

and the security can therefore range from bad to reasonable.

Bad or reasonable Not recommended.
bcrypt Blowfish crypt with salt and many rounds [1] Reasonable On IRC: /MKPASSWD bcrypt <password>

On *NIX shell: ./unrealircd bcrypt mkpasswd

argon2 Argon2 hashing algorithm. Many rounds, anti-GPU cracking measures, etc. [2]

Added in UnrealIRCd 4.2.1.

Good On IRC: /MKPASSWD argon2 <password>

On *NIX shell: ./unrealircd mkpasswd argon2

sslclientcert SSL Client certificate

Note that most people use sslclientcertfp or spkifp instead.

Excellent Path to a public SSL certificate (.pem file)
sslclientcertfp SSL Client certificate fingerprint (SHA256) Excellent For a given SSL certificate such as client.pem, run:
openssl x509 -in client.pem -sha256 -noout -fingerprint

and copy the AA:BB:CC:DD:etc... fingerprint.

spkifp SPKI Fingerprint. This is similar to an SSL Client certificate fingerprint

but is usually only used for server linking. The benefit of spkifp over
sslclientcertfp is that the spkifp stays the same as long as the key stays
the same. So even when the certificate changes (eg: extended by Let's Encrypt).

Excellent For a given SSL certificate:

./unrealircd spkifp conf/ssl/server.cert.pem
Or, alternatively, these openssl commands

The auth-type argon2 is the best one if you want to authenticate using a password. It's slow to crack.

The types sslclientcert and sslclientcertfp require a bit more work and expertise, as the user must generate their own SSL Certificate and then use it to connect to the server via SSL/TLS. We suggest to use this auth-type for /OPER (in the Oper block), see the 2nd example below. Finally the type spkifp is usually only used for linking servers.

Example 1: argon2 password in vhost block

Say, you want to use the password test and want to use argon2 hashed passwords (the best password hashing method available).

  • As IRCOp run:
/MKPASSWD argon2 test

or on the *NIX command line run:

irc@system:~/unrealircd$ ./unrealircd mkpasswd
Enter password to hash:
Encrypted password is: $argon2id$v=19$m=8192,t=3,p=2$hDpgvcBOUVAJMQcJITTLnQ$fL5lg/3tZ0VgTXn61EQ6Rnxhl5j+MvESBBGpg1mZqWM
  • You should get back a string that starts with $ followed by a lot of characters.
  • Put this string in your vhost block (or any other block) like this:
vhost {
    vhost I.love.Tux;
    mask *@*;
    login Tux;
    password "$argon2id$v=19$m=8192,t=3,p=2$hDpgvcBOUVAJMQcJITTLnQ$fL5lg/3tZ0VgTXn61EQ6Rnxhl5j+MvESBBGpg1mZqWM";
};
  • /REHASH your IRCd server configuration (Execute /REHASH as an IRCop on IRC)
  • Try to use the new vhost by typing /VHOST Tux test

Example 2: Oper by SSL Client certificates

sslclientcert and sslclientcertfp are exceptional auth-types which can be used to authenticate SSL/TLS users by their client certificate. With these authentication methods you can be sure the user is using SSL/TLS and is using the specified client certificate. It's very secure but is a slightly advanced feature.

Here's an example of how to use it for the oper block:

  • Create an SSL client certificate if you don't have one already. Search the web for irc client certificate if you don't know how to do this.
  • Connect to IRC with your client, using your client certificate (consult your IRC client documentation)
  • On IRC simply /WHOIS yourself and you will see a line like:
FriendlyOper has client certificate fingerprint e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798

If you do not see a line stating a "client certificate fingerprint", then your IRC client is not configured correctly to use the SSL client certificate. Consult your IRC client documentation.

  • In the server configuration file (eg: unrealircd.conf), set the password to the certificate fingerprint you saw on IRC. For example:
oper test {
     password "e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798" { sslclientcertfp; };
[..]
};
  • Rehash your server
  • Now oper up through /OPER test. When you try this, make sure that you are not already an IRCOp.
  • You should now have IRC Operator rights.
  • Congratulations, you are now using the most secure authentication method available in UnrealIRCd!

Example 3: SSL Client certificates when linking servers

When you are linking servers via the Link block we highly suggest you follow the Tutorial: Linking servers as it uses the SSL client certificate fingerprint authentication type.