Tip of the day: Almost every channel mode can be disabled. Don't like halfops? Use blacklist-module chanmodes/halfop;
|
Certificate fingerprint
When you use SSL/TLS to connect to a server you can configure your IRC client to use a client certificate. Your client certificate results in something called a certificate fingerprint (or certfp) which is a string of hexadecimal values (SHA256). It is shown in WHOIS.
Certificate fingerprints can be used at a lot of places:
- In Services like anope and atheme to authenticate the user
- Instead of a password, for example in the oper block
- At any place where a Mask item is used, for example in the allow block to give such a user a maxperip of 25.
- In a Security-group block
- Etc...
Configuring your client[edit]
- Create an SSL/TLS client certificate if you don't have one already. Search the web for irc client certificate if you don't know how to do this.
- Connect to IRC with your client, using your client certificate (consult your IRC client documentation)
- On IRC simply
WHOISyourself and you will see a line like:
XYZ has client certificate fingerprint e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798
If you do not see a line stating a "client certificate fingerprint", then your IRC client is NOT configured correctly to use the SSL/TLS client certificate. Consult your IRC client documentation.
Using certfp in Services[edit]
- Identify to your account and then use
NS CERT ADD. You can view your current certfp for a services account viaNS CERT LIST.
Adding the certfp in the config file[edit]
If e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798 is the certificate fingerprint, then you can use it:
- In a password item:
password "e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798"; - In a mask item:
mask { certfp "e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798"; } - In a security-group:
security-group trusted_admins { certfp { e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798; } }
- In a password item:
Examples[edit]
Exempting from server bans[edit]
NOTE: This example is for UnrealIRCd 6.0.4 and higher
Use an except ban block so a trusted person can bypass most server bans (KLINE/GLINE/..) and other restrictions (maxperip, spamfilter, etc):
except ban {
mask { certfp e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798; }
type all;
}
NOTE: The person is not exempt from ZLINE and GZLINE because these take effect before the certificate fingerprint is received.
More commands per second[edit]
This allows users to send more commands per second:
security-group flood-users {
include-mask { certfp e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798; }
}
set {
anti-flood {
flood-users {
/* 100 means one command per 100ms. That is 10 commands/second.
* The burst capability is always 10 times that, so 100 commands/second.
*/
lag-penalty 100;
lag-penalty-bytes 0;
}
}
}