To create new wiki account, please join us on #znc at Libera.Chat and ask admins to create a wiki account for you. You can say thanks to spambots for this inconvenience.

Sasl: Difference between revisions

From ZNC
Jump to navigation Jump to search
>Mkaysi
Add very easy to follow example.
>Mkaysi
Update the page for 1.6
Line 6: Line 6:


===Commands===
===Commands===
 
<pre>
<*sasl> +-------------+-------------------+-----------------------------------------------+
< *sasl> +=============+===================+===================================================+
<*sasl> | Command    | Arguments        | Description                                  |
< *sasl> | Command    | Arguments        | Description                                      |
<*sasl> +-------------+-------------------+-----------------------------------------------+
< *sasl> +=============+===================+===================================================+
<*sasl> | Help        | search            | Generate this output                          |
< *sasl> | Help        | search            | Generate this output                              |
<*sasl> | Mechanism  | [mechanism[ ...]] | Set the mechanisms to be attempted (in order) |
< *sasl> +-------------+-------------------+---------------------------------------------------+
<*sasl> | RequireAuth | [yes|no]          | Don't connect if SASL cannot be authenticated |
< *sasl> | Mechanism  | [mechanism[ ...]] | Set the mechanisms to be attempted (in order)    |
<*sasl> | Set        | username password | Set the password for DH-BLOWFISH/DH-AES/PLAIN |
< *sasl> +-------------+-------------------+---------------------------------------------------+
<*sasl> +-------------+-------------------+-----------------------------------------------+
< *sasl> | RequireAuth | [yes|no]          | Don't connect if SASL cannot be authenticated     |
<*sasl> The following mechanisms are available:
< *sasl> +-------------+-------------------+---------------------------------------------------+
<*sasl> +-------------+----------------------------------------------------+
< *sasl> | Set        | username password | Set username and password for the PLAIN mechanism |
<*sasl> | Mechanism   | Description                                       |
< *sasl> +=============+===================+===================================================+
<*sasl> +-------------+----------------------------------------------------+
< *sasl> The following mechanisms are available:
<*sasl> | EXTERNAL   | TLS certificate, for use with the *cert module     |
< *sasl> +===========+==============================================================================+
<*sasl> | DH-BLOWFISH | Secure negotiation using the DH-BLOWFISH mechanism |
< *sasl> | Mechanism | Description                                                                 |
<*sasl> | DH-AES      | More secure negotiation using the DH-AES mechanism |
< *sasl> +===========+==============================================================================+
<*sasl> | PLAIN      | Plain text negotiation                            |
< *sasl> | EXTERNAL | TLS certificate, for use with the *cert module                               |
<*sasl> +-------------+----------------------------------------------------+
< *sasl> +-----------+------------------------------------------------------------------------------+
< *sasl> | PLAIN    | Plain text negotiation, this should work always if the network supports SASL |
< *sasl> +===========+==============================================================================+
</pre>


===Example===
===Example===

Revision as of 16:45, 13 February 2015


The SASL module allows you to authenticate to an IRC network via SASL.

This module can be used with the cert module to support the EXTERNAL SASL mechanism. You can do this by setting up a certificate with cert and then setting the module to use the EXTERNAL mechanism. `/msg *sasl mechanism external`.

Commands

< *sasl> +=============+===================+===================================================+
< *sasl> | Command     | Arguments         | Description                                       |
< *sasl> +=============+===================+===================================================+
< *sasl> | Help        | search            | Generate this output                              |
< *sasl> +-------------+-------------------+---------------------------------------------------+
< *sasl> | Mechanism   | [mechanism[ ...]] | Set the mechanisms to be attempted (in order)     |
< *sasl> +-------------+-------------------+---------------------------------------------------+
< *sasl> | RequireAuth | [yes|no]          | Don't connect if SASL cannot be authenticated     |
< *sasl> +-------------+-------------------+---------------------------------------------------+
< *sasl> | Set         | username password | Set username and password for the PLAIN mechanism |
< *sasl> +=============+===================+===================================================+
< *sasl> The following mechanisms are available:
< *sasl> +===========+==============================================================================+
< *sasl> | Mechanism | Description                                                                  |
< *sasl> +===========+==============================================================================+
< *sasl> | EXTERNAL  | TLS certificate, for use with the *cert module                               |
< *sasl> +-----------+------------------------------------------------------------------------------+
< *sasl> | PLAIN     | Plain text negotiation, this should work always if the network supports SASL |
< *sasl> +===========+==============================================================================+

Example

Basic configuration of the *sasl module. Note that SASL won't be used until you reconnect to the server.

/query *status
<you> loadmod sasl
<*status> Loaded module [sasl] [/home/znc/.local/lib/znc/sasl.so]
/query *sasl
<you> mechanism plain
<*sasl> Current mechanisms set: PLAIN
<you>  set MyUsername pa$$w0rd
<*sasl> Username has been set to [MyUsername]
<*sasl> Password has been set to [pa$$w0rd]

Note: The password is saved unencrypted, so don't make your ZNC data directory readable to other users! Note: The password is transmitted to IRC server in plain text if you don't use SSL.

Nowadays most of networks support either SASL PLAIN or EXTERNAL. DH-BLOWFISH and DH-AES support were removed due to people believing them to be more secure than SASL PLAIN + SSL which is not the case.

Many networks support SASL including:

  • Athemenet
  • ChatSpike
  • EsperNet
  • Freenode
  • PirateIRC
  • Snoonet