To create new wiki account, please join us on #znc at Libera.Chat and ask admins to create a wiki account for you. You can say thanks to spambots for this inconvenience.

Sasl: Difference between revisions

From ZNC
Jump to navigation Jump to search
>Mkaysi
m Add link to SASL v3.1
m added chatlounge as an example network which supports SASL
(10 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Core Module}}
{{Core Module | version = 1.0}}


The SASL module allows you to authenticate to an IRC network via [http://ircv3.net/specs/extensions/sasl-3.1.html|SASL].
The '''SASL''' module allows you to authenticate to an IRC network via [http://ircv3.net/specs/extensions/sasl-3.1.html SASL]. This is preferable to using [[perform]] or [[nickserv]] because you can auth to services ''before'' you are even visible on the server.
 
This module supports the ''EXTERNAL'' SASL mechanism if you set up a certificate with the [[cert]] module. Once cert is properly enabled and setup, you can set the SASL module to use the ''EXTERNAL'' mechanism.


This module can be used with the [[cert]] module to support the EXTERNAL SASL mechanism. You can do this by setting up a certificate with [[cert]] and then setting the module to use the EXTERNAL mechanism. `/msg *sasl mechanism external`.


===Commands===
===Commands===
<pre>
< *sasl> +=============+===================+===================================================+
< *sasl> | Command    | Arguments        | Description                                      |
< *sasl> +=============+===================+===================================================+
< *sasl> | Help        | search            | Generate this output                              |
< *sasl> +-------------+-------------------+---------------------------------------------------+
< *sasl> | Mechanism  | [mechanism[ ...]] | Set the mechanisms to be attempted (in order)    |
< *sasl> +-------------+-------------------+---------------------------------------------------+
< *sasl> | RequireAuth | [yes|no]          | Don't connect if SASL cannot be authenticated    |
< *sasl> +-------------+-------------------+---------------------------------------------------+
< *sasl> | Set        | username password | Set username and password for the PLAIN mechanism |
< *sasl> +=============+===================+===================================================+
< *sasl> The following mechanisms are available:
< *sasl> +===========+==============================================================================+
< *sasl> | Mechanism | Description                                                                  |
< *sasl> +===========+==============================================================================+
< *sasl> | EXTERNAL  | TLS certificate, for use with the *cert module                              |
< *sasl> +-----------+------------------------------------------------------------------------------+
< *sasl> | PLAIN    | Plain text negotiation, this should work always if the network supports SASL |
< *sasl> +===========+==============================================================================+
</pre>


===Example===
; <code>/msg *sasl Help [<search term>]</code>
: Generate this help output, optionally search for word/phrase in this output.


Basic configuration of the *sasl module. Note that SASL won't be used until you reconnect to the server.
; <code>/msg *sasl Mechanism [mechanism[ ...]]</code>
: Set the mechanisms to be attempted (in order). The following mechanisms are available:
:* <code>EXTERNAL</code>
:*: TLS certificate, for use with the *[[cert]] module. [[Cert]] must be setup, and the network must [[#Support for SASL|support this mechanism]].
:* <code>PLAIN</code>
:*: Plain text negotiation; this should always work if the network supports SASL


  /query *status
; <code>/msg *sasl RequireAuth [yes|no]</code>
  <you> loadmod sasl
: Don't connect unless SASL authentication succeeds
 
; <code>/msg *sasl Set <username> [<password>]</code>
: Set username and password for the mechanisms that need them.
: The username should match the NickServ accountname you wish to log into.  This is a mandatory argument (things wrapped in <code><></code>).
: The password should match the NickServ password associated with the accountname, and is case-sensitive.  This is an optional argument (things wrapped in <code>[]</code>).
 
=== Example ===
 
Basic configuration of the *sasl module. First, be sure the SASL module is loaded:
 
  '''/query *status'''
  '''loadmod sasl'''
  <*status> Loaded module [sasl] [/home/znc/.local/lib/znc/sasl.so]
  <*status> Loaded module [sasl] [/home/znc/.local/lib/znc/sasl.so]
  /query *sasl
 
  <you> mechanism plain
Configure the module:
  <*sasl> Current mechanisms set: PLAIN
 
  <you>  set MyUsername pa$$w0rd
  '''/query *sasl'''
  <*sasl> Username has been set to [MyUsername]
  '''mechanism external plain'''
  <*sasl> Current mechanisms set: EXTERNAL PLAIN
  '''set MyNickservName pa$$w0rd'''
  <*sasl> Username has been set to [MyNickservName]
  <*sasl> Password has been set to [pa$$w0rd]
  <*sasl> Password has been set to [pa$$w0rd]


'''Note:''' The password is saved unencrypted, so don't make your ZNC data directory readable to other users!
SASL won't be used until you reconnect to the server:
'''Note:''' The password is transmitted to IRC server in plain text if you don't use SSL.
 
'''/query *status'''
'''jump'''
<*status> Jumping to the next server in the list...


Nowadays most of networks support either SASL PLAIN or EXTERNAL. DH-BLOWFISH and DH-AES support were removed due to people believing them to be more secure than SASL PLAIN + SSL which is not the case.
; Please note:
* The password is saved unencrypted, so don't make your ZNC data directory readable to other users! If you are using [[Providers|a ZNC bouncer provided by someone else]], be sure you trust them with your password.
* If you don't use SSL, the password is transmitted to the IRC server in plain text. There's no problem with sending an unencrypted password inside an SSL secured connection, so if you're using SSL you probably don't need to bother worrying about anything other than the PLAIN mechanism.
: Nowadays, most networks support either SASL ''PLAIN'' or ''EXTERNAL''. ''DH-BLOWFISH'' and ''DH-AES'' support were removed due to people believing them to be more secure than SASL ''PLAIN'' + SSL, which is not the case. If you use SASL ''PLAIN'' with an SSL connection, you'll be fine.


Many networks support SASL including:
=== Support for SASL ===


* Athemenet <!-- Atheme, Charybdis etc. network -->
Many networks support SASL, including:
* ChatSpike <!-- InspIRCd network -->
* ChatSpike
* EsperNet
* EsperNet
* Freenode  
* Freenode
* PirateIRC <!-- Pirate Parties International -->
* PirateIRC
* Snoonet <!-- Reddit like network -->
* Rizon
* Snoonet
* ChatLounge
 
<small>''A network not listed here '''may or may not''' support SASL.''</small>

Revision as of 15:56, 2 November 2018


The SASL module allows you to authenticate to an IRC network via SASL. This is preferable to using perform or nickserv because you can auth to services before you are even visible on the server.

This module supports the EXTERNAL SASL mechanism if you set up a certificate with the cert module. Once cert is properly enabled and setup, you can set the SASL module to use the EXTERNAL mechanism.


Commands

/msg *sasl Help [<search term>]
Generate this help output, optionally search for word/phrase in this output.
/msg *sasl Mechanism [mechanism[ ...]]
Set the mechanisms to be attempted (in order). The following mechanisms are available:
  • EXTERNAL
    TLS certificate, for use with the *cert module. Cert must be setup, and the network must support this mechanism.
  • PLAIN
    Plain text negotiation; this should always work if the network supports SASL
/msg *sasl RequireAuth [yes|no]
Don't connect unless SASL authentication succeeds
/msg *sasl Set <username> [<password>]
Set username and password for the mechanisms that need them.
The username should match the NickServ accountname you wish to log into. This is a mandatory argument (things wrapped in <>).
The password should match the NickServ password associated with the accountname, and is case-sensitive. This is an optional argument (things wrapped in []).

Example

Basic configuration of the *sasl module. First, be sure the SASL module is loaded:

/query *status
loadmod sasl
<*status> Loaded module [sasl] [/home/znc/.local/lib/znc/sasl.so]

Configure the module:

/query *sasl
mechanism external plain
<*sasl> Current mechanisms set: EXTERNAL PLAIN
set MyNickservName pa$$w0rd
<*sasl> Username has been set to [MyNickservName]
<*sasl> Password has been set to [pa$$w0rd]

SASL won't be used until you reconnect to the server:

/query *status
jump
<*status> Jumping to the next server in the list...
Please note
  • The password is saved unencrypted, so don't make your ZNC data directory readable to other users! If you are using a ZNC bouncer provided by someone else, be sure you trust them with your password.
  • If you don't use SSL, the password is transmitted to the IRC server in plain text. There's no problem with sending an unencrypted password inside an SSL secured connection, so if you're using SSL you probably don't need to bother worrying about anything other than the PLAIN mechanism.
Nowadays, most networks support either SASL PLAIN or EXTERNAL. DH-BLOWFISH and DH-AES support were removed due to people believing them to be more secure than SASL PLAIN + SSL, which is not the case. If you use SASL PLAIN with an SSL connection, you'll be fine.

Support for SASL

Many networks support SASL, including:

  • ChatSpike
  • EsperNet
  • Freenode
  • PirateIRC
  • Rizon
  • Snoonet
  • ChatLounge

A network not listed here may or may not support SASL.