Page 1 of 1

UnrealIRCd 4.2.1(.1) released

Posted: Thu Dec 27, 2018 8:17 am
by Syzop
Hi everyone,

UnrealIRCd 4.2.1 (stable) is now available for download. This version enhances support for authentication. Also new is a module to combat mixed UTF8 character spam, a rewrite of the operclass privileges and more secure password hashing.

UPDATE: The release fixes a compile problem on Debian. If you are already running 4.2.1 then there is no reason to upgrade. Similarly, the Windows version is unchanged as well and still 4.2.1.

If you missed the 4.2.0 release, then consider looking at the previous release announcement as well.

NOTE: There will be no further 4.0.x releases. Current stable is 4.2.x. For more information, see the FAQ item: Questions about the new 4.2.x series

Changes between version 4.2.0 and 4.2.1:

  • Support for authentication prompt:
    Since 4.2.0 you can require specific users to authenticate themselves with their nickname and password via SASL. We now offer a new experimental module called 'authprompt' which will help non-SASL users by showing a notice and asking them to authenticate to their account via /AUTH <user>:<pass>. See the new authentication article on the wiki for an overview and set::authentication-prompt for specific information on the module.
  • New optional module 'antimixedutf8' to combat mixed UTF8 character spam (also called freenode spam) that has been plaguing networks. See the set::antimixedutf8 documentation for more information.
  • Support for Argon2 password hashing, which is more resilient against brute force cracking (/mkpasswd argon2 passwd)
  • Indicate 's' in WHO reply flags if the user is secure (SSL/TLS).
Configuration changes:
  • The require sasl { } block is now called require authentication { }
  • The operclass privileges have been redone.
    There were too many changes to list them here. If, like 99% of the users, you use default operclasses such as "globop" and "admin-with-override" then you don't need to do anything.
    However, if you have custom operclass { } blocks then the privileges will have to be redone. See here for more information on the conversion process.
    See also the new list of permissions, with much better naming and grouping.
  • In the configuration file you can now use } instead of };
    Both forms are accepted. There's no need to change if you don't like it.
  • A /* comment in the configuration file is now terminated at the first occurrence of */, instead of two /* /* requiring two */ */.
    Most people will be unaffected. But if you are, see the FAQ: nesting comments for more information.
Major issues fixed Minor issues fixed
  • By default a user shouldn't be allowed to change to a banned nick, unless (s)he has +hoaq in the channel. This was broken since 4.0.0.
    This feature can be disabled via set { check-target-nick-bans no; };
  • Rehash error messages sent to opers regarding remote includes now no longer include authentication information (replaced with ***:***).
  • The authentication types 'md5', 'sha1' and 'ripemd160' have been deprecated because they can be cracked at high speeds. They still work, but a warning will be shown on boot and on rehash.
    Please use the new 'argon2' type instead: Type /MKPASSWD argon2 passwd on IRC, or ./unrealircd mkpasswd argon2 on the command line to generate the password hash.
For module coders:
  • Priorities in command overrides were reversed (was added in 4.2.0).
Future versions (heads up):
  • We intend to change the default plaintext oper policy from warn to deny in the year 2019. This will deny /OPER when issued from a non-SSL connection. For security, IRC Operators should really use SSL/TLS when connecting to an IRC server!
As always, you can download UnrealIRCd from