SASL

From UnrealIRCd documentation wiki
Jump to: navigation, search

When you enable SASL users can authenticate against services early in the client handshake, before the client is fully online. This has a number of benefits:

  • It is a universal way to identify to services. No need to /NS IDENTIFY, /MSG NickServ IDENTIFY, or whatever the command may be with services package XYZ.
  • Similarly, if services disconnect and come back later, there's no need to re-identify via /NS IDENTIFY.
  • Because it happens early in the IRC handshake you receive the proper vhost and modes. For instance, you can safely (auto)join registered only (+R) channels.
  • From UnrealIRCd 4.0.18 onward you can make SASL authentication mandatory, for example on a server that permits open proxies / tor. You do so via allow::options::require-sasl in the Allow block. Of course, this assumes users can register their nick names via some other means.

Enabling SASL on the server

Step 1: enable in services

First, you need to enable SASL in your services package.

For example, in anope you need to edit your modules.conf (or modules.example.conf) so it shows:

/*
 * m_sasl
 *
 * Some IRCds allow "SASL" authentication to let users identify to Services
 * during the IRCd user registration process. If this module is loaded, Services will allow
 * authenticating users through this mechanism. Supported mechanisms are:
 * PLAIN, EXTERNAL.
 */
module { name = "m_sasl" }

In anope 2.0.6 (2017-12-11) and newer the SASL module is already loaded by default.

Step 2: enable in UnrealIRCd

Then, in UnrealIRCd you have to set the SASL server to your services server, like this:

set { sasl-server services.my.net; };

UnrealIRCd also has auto-detection which works with certain services packages (such as anope). In that case setting set::sasl-server is unnecessary, but you could set it anyway just to be sure.

How to verify SASL is enabled

You can verify if SASL is available on a server by issuing the command 'CAP LS'. Usually you will need to use '/quote CAP LS' and not all clients (such as irssi) may show the output:

[12:44:28] -> Server: CAP LS
-
[12:44:28] CAP LS unrealircd.org/plaintext-policy=user=allow,oper=warn,server=warn unrealircd.org/link-security=2 extended-join chghost cap-notify userhost-in-names multi-prefix away-notify account-notify sasl tls
-

In this example sasl is listed as the 2nd last parameter. This means SASL is available on this server.

If sasl is missing in CAP LS then it could be one of these problems:

  • SASL is not enabled in the services package
  • The services server is not linked (they are offline)
  • SASL is not enabled in the IRC server

Again, if you see no output at all for CAP LS then your client is intercepting the output. Try a different client or a nc or telnet session to the IRC port and issue an CAP LS command.

Enabling SASL on the client

NOTE: It is recommended that you use an SSL/TLS connection to the server, if it is supported, so your traffic and login credentials are encrypted.

mIRC

  • File -> Select Server
  • Connect -> Servers: select the server you want to add your SASL to and click Edit (or create a new server)
  • In Login Method you select SASL (/CAP)
  • In Password you type the password for your account.

irssi