To create new wiki account, please join us on #znc at Libera.Chat and ask admins to create a wiki account for you. You can say thanks to spambots for this inconvenience.

Certauth: Difference between revisions

From ZNC
Jump to navigation Jump to search
>Mkaysi
Example: Link to ZNC wiki instead of OFTC.
DoctorD90 (talk | contribs)
 
(10 intermediate revisions by 6 users not shown)
Line 2: Line 2:
{{Core Module | version = 0.094}}
{{Core Module | version = 0.094}}


This module let's users to log in via SSL client keys, similar to [http://www.oftc.net/oftc/NickServ/CertFP CertFP].
This module lets users log in to ZNC using SSL client keys ([https://www.oftc.net/NickServ/CertFP/ CertFP]).


== Usage ==
== Usage ==
Line 9: Line 9:
| type = global}}
| type = global}}


After loading this module, you have to reconnect to znc. You can now save your key fingerprint with <code>/msg *certauth add</code>. From now on you can log in to znc with any password. E.g. you can just send an "user/network:." as the server password (an empty password).
After loading this module, you have to reconnect to ZNC. You can now save your key fingerprint with <code>/msg *certauth add</code>. From now on you can log in to ZNC with any password but it cannot be blank. E.g. you can just send an "user@identifier/network:" as the server password.


== Example ==
== Example ==
After loading certauth and following the steps from [[Cert#Generating_a_certificate|ZNC's Cert page]], I connect with my SSL client certificate to ZNC:
After loading certauth and following the steps from [[Cert#Generating_a_certificate|ZNC's Cert page]] to generate SSL certificate, I connect with my SSL client certificate to ZNC:


<pre>
<pre>
Line 31: Line 31:
</pre>
</pre>


Now I reconnect to ZNC again. This time, instead of sending "user:pass" as the server password, I use "user:". Thanks to the SSL client certificate, I can now successfully login with an empty password!
Now I reconnect to ZNC again. This time, instead of sending "user/network:password" as the server password, I use "user/network:". Thanks to the SSL client certificate, I can now successfully login without my password!
 
Ensure you are logging in over TLS so that your certificate actually gets sent.
 
== Webadmin Login ==
You can use the certificate authentication to login via [[Webadmin]] too.
 
To do it you have to import your certificate in your web browser in PKCS#12 format.
 
To continue, you should have:
* successfully created an ''user.pem'' certificate following the steps from [[Cert#Generating_a_certificate|ZNC's Cert page]]
* saved your key fingerprint with <code>/msg *certauth add</code> command
 
The next step is to convert the format from ''PEM'' to ''PKCS#12''
<pre>openssl pkcs12 -export -in user.pem -out user.pkcs12.pfx</pre>
You will be asked for a password. It is related to the ''PKCS#12'' certificate, because it has the private key in itself.
 
Open your browser and navigate to the certificates's page:
* ''Mozilla Firefox'': about:preferences#privacy > ''Certificates'' > ''View Certificates''
* ''Chrome/Chromium'': chrome://settings/certificates
Choose ''Your Certificates'' tab and import your ''user.pkcs12.pfx'' file; insert the password setted in the previous step when requested.
 
Visit your personal [[Webadmin]] page and choose your certificate when prompted.
 
Fill the username field only and login.
 
'''''note: some user could encounter some issue to login via certificate due to random settings/old caching/etc; try to use your ZNC's Hostname:port instead of YourNickname during the certificate creation: change the argument "/CN=YourNickname" to "/CN=znc.example.com:6697". Thanks to <CryptoSiD> on Freenode for the tip'''''

Latest revision as of 10:08, 3 September 2020


This module lets users log in to ZNC using SSL client keys (CertFP).

Usage

Arguments

This global module takes no arguments.

Read loading modules to learn more about loading modules.

After loading this module, you have to reconnect to ZNC. You can now save your key fingerprint with /msg *certauth add. From now on you can log in to ZNC with any password but it cannot be blank. E.g. you can just send an "user@identifier/network:" as the server password.

Example

After loading certauth and following the steps from ZNC's Cert page to generate SSL certificate, I connect with my SSL client certificate to ZNC:

/msg *certauth help
<*certauth> Commands: show, list, add, del [no]
/msg *certauth show
<*certauth> Your current public key is: 4da806d1fc3e8e24015e3764e8e4264e188d62aa
/msg *certauth list
<*certauth> No keys set for your user
/msg *certauth add
<*certauth> Added your current public key to the list
/msg *certauth list
<*certauth> +----+------------------------------------------+
<*certauth> | Id | Key                                      |
<*certauth> +----+------------------------------------------+
<*certauth> | 1  | 4da806d1fc3e8e24015e3764e8e4264e188d62aa |
<*certauth> +----+------------------------------------------+

Now I reconnect to ZNC again. This time, instead of sending "user/network:password" as the server password, I use "user/network:". Thanks to the SSL client certificate, I can now successfully login without my password!

Ensure you are logging in over TLS so that your certificate actually gets sent.

Webadmin Login

You can use the certificate authentication to login via Webadmin too.

To do it you have to import your certificate in your web browser in PKCS#12 format.

To continue, you should have:

  • successfully created an user.pem certificate following the steps from ZNC's Cert page
  • saved your key fingerprint with /msg *certauth add command

The next step is to convert the format from PEM to PKCS#12

openssl pkcs12 -export -in user.pem -out user.pkcs12.pfx

You will be asked for a password. It is related to the PKCS#12 certificate, because it has the private key in itself.

Open your browser and navigate to the certificates's page:

  • Mozilla Firefox: about:preferences#privacy > Certificates > View Certificates
  • Chrome/Chromium: chrome://settings/certificates

Choose Your Certificates tab and import your user.pkcs12.pfx file; insert the password setted in the previous step when requested.

Visit your personal Webadmin page and choose your certificate when prompted.

Fill the username field only and login.

note: some user could encounter some issue to login via certificate due to random settings/old caching/etc; try to use your ZNC's Hostname:port instead of YourNickname during the certificate creation: change the argument "/CN=YourNickname" to "/CN=znc.example.com:6697". Thanks to <CryptoSiD> on Freenode for the tip