Tip of the day: UnrealIRCd 6 uses GeoIP by default. It is shown in WHOIS but also available as country in mask items,for example it can be used in the TLD Block to serve a Spanish MOTD to people in Spanish speaking countries. |
Certificate fingerprint
When you use SSL/TLS to connect to a server you can configure your IRC client to use a client certificate. Your client certificate results in something called a certificate fingerprint (or certfp) which is a string of hexadecimal values (SHA256). It is shown in WHOIS
.
Certificate fingerprints can be used at a lot of places:
- In Services like anope and atheme to authenticate the user
- Instead of a password, for example in the oper block
- At any place where a Mask item is used, for example in the allow block to give such a user a maxperip of 25.
- In a Security-group block
- Etc...
Configuring your client
- Create an SSL/TLS client certificate if you don't have one already. Search the web for irc client certificate if you don't know how to do this.
- Connect to IRC with your client, using your client certificate (consult your IRC client documentation)
- On IRC simply
WHOIS
yourself and you will see a line like:
XYZ has client certificate fingerprint e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798
If you do not see a line stating a "client certificate fingerprint", then your IRC client is NOT configured correctly to use the SSL/TLS client certificate. Consult your IRC client documentation.
Using certfp in Services
- Identify to your account and then use
NS CERT ADD
. You can view your current certfp for a services account viaNS CERT LIST
.
Adding the certfp in the config file
If e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798
is the certificate fingerprint, then you can use it:
- In a password item:
password "e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798";
- In a mask item:
mask { certfp "e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798"; }
- In a security-group:
security-group trusted_admins { certfp { e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798; } }
- In a Crule like:
match_certfp('e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798')
- In a password item:
See next section for examples.
Examples
Security group combining oper block and more
NOTE: This example is for UnrealIRCd 6.0.4 and higher
This example will:
- define a security-group with a certificate fingerprint
- use it in an oper block with auto-login
- exempt that user from (nearly) all server bans
security-group Admin1 { certfp "e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798"; } oper Admin1 { auto-login yes; mask { security-group Admin1; } operclass netadmin-with-override; class opers; } except ban { mask { security-group Admin1; } type all; }
Exempting from server bans
NOTE: This example is for UnrealIRCd 6.0.4 and higher
Use an except ban block so a trusted person can bypass most server bans (KLINE/GLINE/..) and other restrictions (maxperip, spamfilter, etc):
except ban { mask { certfp e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798; } type all; }
NOTE: The person is not exempt from ZLINE
and GZLINE
because these take effect before the certificate fingerprint is received.
More commands per second
This allows users to send more commands per second:
security-group flood-users { include-mask { certfp e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798; } } set { anti-flood { flood-users { /* 100 means one command per 100ms. That is 10 commands/second. * The burst capability is always 10 times that, so 100 commands/second. */ lag-penalty 100; lag-penalty-bytes 0; } } }
Note that IRCOps can already flood at full speed (no lag penalty).