Tip of the day: If you still have users on plaintext port 6667, consider enabling Strict Transport Security to gently move users to SSL/TLS on port 6697.

SASL

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

When you enable SASL, users can authenticate against their services account early in the client handshake, before the client is fully online. This has a number of benefits:

  • It is a universal way to identify to services. No need to /NS IDENTIFY, /MSG NickServ IDENTIFY, or whatever the command may be with services package XYZ.
  • Similarly, if services disconnect and come back later, there's no need to re-identify via /NS IDENTIFY.
  • Because it happens early in the IRC handshake you receive the proper vhost and modes. For instance, you can safely (auto)join registered only (+R) channels.
  • If the server is under attack and the Connthrottle protection is activated then SASL users are still allowed in.
  • Optionally, you can make SASL authentication mandatory. For example on a server that permits open proxies / tor. You do so via a require authentication { } block or by using soft bans.
  • IRCOps can use soft bans to ban users from a certain ISP or IP range, but still allow users with SASL in.
  • Specific user accounts can be given benefits such as more connections per ip or you can exempt specific accounts from all kinds of bans or restrictions via the Except ban block or ELINE if you place the exemption on ~account:some_specific_account_name
  • IRCOps can ban users by their services account with eg GLINE ~a:Accoutname, see Extended server bans.

Enabling SASL on the server

Step 1: enable in services

First, you need to enable SASL in your services package.

anope: In anope 2.0.7 or higher SASL is enabled by default.

atheme: Here too SASL seems enabled by default.

When in doubt, check your anope.conf / atheme.conf and search for the word 'sasl'.

Step 2: enable in UnrealIRCd

Then, in UnrealIRCd you have to set the SASL server to your services server, like this:

set { sasl-server services.my.net; };

It is recommend you set this configuration item explicitly. However, if you don't have this setting and use anope, then the SASL server should still be detected automatically. In atheme this does not work at the moment.

How to verify SASL is enabled

You can verify if SASL is available on a server by issuing the command 'CAP LS'. Usually you will need to use '/quote CAP LS' and not all clients (such as irssi) may show the output:

[12:44:28] -> Server: CAP LS
-
[12:44:28] CAP LS unrealircd.org/plaintext-policy=user=allow,oper=warn,server=warn unrealircd.org/link-security=2 extended-join chghost cap-notify userhost-in-names multi-prefix away-notify account-notify sasl tls
-

In this example sasl is listed as the 2nd last parameter. This means SASL is available on this server.

If sasl is missing in CAP LS then it could be one of these problems:

  • SASL is not enabled in the services package
  • The services server is not linked (they are offline)
  • SASL is not enabled in the IRC server

Again, if you see no output at all for CAP LS then your client is intercepting the output. Try a different client or a nc or telnet session to the IRC port and issue an CAP LS command.

Enabling SASL on the client

NOTE: It is recommended that you use an SSL/TLS connection to the server, if it is supported, so your traffic and login credentials are encrypted.

mIRC

  • File -> Select Server
  • Connect -> Servers: select the server you want to add your SASL to and click Edit (or create a new server)
  • In Login Method you select SASL (/CAP)
  • In Password you type the password for your account.

irssi