allowing oper::from::userhost from a /vhost

These are old archives. They are kept for historic purposes only.
[UnDeRTaKeR]
Posts: 84
Joined: Mon Nov 21, 2005 6:15 am
Location: Cuba

allowing oper::from::userhost from a /vhost

Post by [UnDeRTaKeR] » Mon Jan 23, 2006 11:30 pm

is an idea, allowing the oper::from::userhost being a fake hostname,
previously logged in with /vhost login passwd
can be troublesome or hard to implement?
I know bugs.unrealircd.com is the site for suggestion/requests,
but happens I dont have access now...
(local network problems)

Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason » Tue Jan 24, 2006 10:14 pm

Why do you want this?
Why the hell can't my signature be empty?
"Your message contains too few characters."

[UnDeRTaKeR]
Posts: 84
Joined: Mon Nov 21, 2005 6:15 am
Location: Cuba

Post by [UnDeRTaKeR] » Wed Jan 25, 2006 6:02 am

I would use it to give each oper a unique userhost for the login,
and given the hypothetic case the password is leaked it would be an
extra measure for the security and stability of the server.
Not always the opers on a network are the only ones under a hostname,
then is important to have strong passwords, but accidents can happen,
and if an oper let see unconsciously the passwd, then we have a problem,

its just a thought, but is harder to lose two passwords than one...

Matridom
Posts: 296
Joined: Fri Jan 07, 2005 3:28 am

Post by Matridom » Wed Jan 25, 2006 1:53 pm

if you wanted to make things complicated, you could..

Set up a second IRCD on the same system and have it listen on a different port. (yes this is possible)

Then link the second server to the first.

The second server would be the only one with oper blocks, you can then do several things.

1 hide the server your connecting to (everyone else see's a hostname for the server)
2 hide the port that is needed to connect
3 Password protect the port so that opers have to provide a password to connect

I think this is overkill however, cause with unreal, you can restrict the stats command and prevent people from finding out the username of the oper(you are now back to needing 2 pieces of ID to get Oper). With other opers on the network, they can see who opers to what block and can act as your final protection. Finally, the logs show who opered to what block.

So if your diligent, you and your team can spot an oper block that got compromised very quickly.
Never argue with an idiot. They will bring you down to their level, then beat you with experience.

[UnDeRTaKeR]
Posts: 84
Joined: Mon Nov 21, 2005 6:15 am
Location: Cuba

Post by [UnDeRTaKeR] » Wed Jan 25, 2006 8:42 pm

matridom:
I could do that the day my server is only running an ircd, is true that things
could be more complicated,
altough my opers are reliable to me they can make mistakes,
Im giving it a try to anything that could make harder the possibility to
break an user/passwd,
;)

sdamon
Posts: 46
Joined: Tue Jun 07, 2005 7:28 am

Re: allowing oper::from::userhost from a /vhost

Post by sdamon » Mon Jan 30, 2006 11:12 am

[UnDeRTaKeR] wrote:is an idea, allowing the oper::from::userhost being a fake hostname,
previously logged in with /vhost login passwd
can be troublesome or hard to implement?
I know bugs.unrealircd.com is the site for suggestion/requests,
but happens I dont have access now...
(local network problems)
*Crack*

Ok...there is like SO no point in that. Both vhost and oper use REAL hosts for authentication..for a reason! If you realy want to be lazy, put that persons oper and vhost blocks next to eachother, and copy/paste whenever there is a change made.

i mean your security proposal is proposterious. there are 2 ways to get an opers password. 1) get it from the oper. in which case, they PROBOBLY already got the vhost password too. and 2) get it from the config file, in which case...they get the vhost password too!

Encrypt your oper passwords. that clears up the security hole on the shell's end. only oper users you trust. that fixes the other.


OH...and there is a third way to get an oper password. sniffing. haveyour opers use SSL. there is no reason someone CANT run ssl.

[UnDeRTaKeR]
Posts: 84
Joined: Mon Nov 21, 2005 6:15 am
Location: Cuba

Post by [UnDeRTaKeR] » Mon Jan 30, 2006 8:10 pm

sdamon:
forget getting the passwd from the conf, thats not in the plate,
they are encrypted, and the shortest one is 16 char length...

the point WAS having TWO different passwd...so if an oper f*** up and
let go the passwd, it would be useless for those who could see it 'cause
they dont have the vhost...
yeah yeah, what would you do when REAL HOSTS are the same for
everyone?
vhost passwd AND oper passwd...get it?
but since this post was a very particular request, nobody paid attention,
and its fine, is the way it should be!
anyhow Matridom came up with some good propositions...
not the usual "its all your fault" and "its an useless idea"

after I posted this I realize two things, unreal already provides good
security when you really care about it, and
that its unavoidable on a network structure like mine to have full security
or peace, even if I trust my opers and know they are prepared, the
possibility of they letting go the pass is REAL because human beings
can make mistakes...

I just keep in mind that "too much" in security terms is never enough...
especially around here, where everyone else have nothing better to do...
and where everyone is cuban...they are smart, but isnt compared to
how mofos they can be...everyone knowing everyone, hmm BAD THING.

Although right now I feel like I will always have action and fun here,
a good thing indeed,
a flawless network were everyone behave as good puppets could be
very boring.
Thanks for your time.

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Mon Jan 30, 2006 8:20 pm

If you're really worried, have your opers use SSL certificates - for opering. It's hard to just leak those on IRC unless their client's been trojaned. And if they do happen to accidentally blurt out an /oper command, well, without the cert it's useless (hint: when you use ssl certs, the password field in /oper is meaningless).

I believe there's a thread somewhere on these forums about that...

[UnDeRTaKeR]
Posts: 84
Joined: Mon Nov 21, 2005 6:15 am
Location: Cuba

Post by [UnDeRTaKeR] » Mon Jan 30, 2006 8:32 pm

aquanight:
seems good to me, Ill look for threads about it, I've never used it before so
Ill have to read some documentation and instruct my opers,
yeah, I got the thread, thanks for the advice ;)

JIVXor
Posts: 134
Joined: Fri Sep 09, 2005 10:53 pm
Location: Cuba

Post by JIVXor » Mon Jan 30, 2006 8:44 pm

In any way, cannot make that in cuban nets, since the only port that is open is the 443(Secure Socket Layer), we use that port for the clients, it would not be good idea to also use it for ssl clients, besides, cannot have two types of connections running for oneself port(correct me if I'm wrong).

You guys have to come to Cuba, so will see how is the structure of the nets, more restricted than any net of the world. If in some moment we show us repugnant, requesting impossible solutions, be patient, we don't make it for pleasure.

Greets from Cuba.

PD : Well seems that works, having the two connections for oneself port.

Code: Select all

 listen  *:443 
 { 
   options 
    { 
      clientsonly; 
      ssl; 
     }; 
 };
 
Anyway, I dont like this idea(opers[ssl] and clients for same port) :S

[UnDeRTaKeR]
Posts: 84
Joined: Mon Nov 21, 2005 6:15 am
Location: Cuba

Post by [UnDeRTaKeR] » Mon Jan 30, 2006 9:08 pm

WOW
I found a past century post, :P
there was even a similar idea to the one on this thread,
(passed unseen as well)
somehow if ssl cert for opering up is such a good idea, I think it would
be nice to have a A.C post explaining how to use it on unrealircd...
Ill keep looking on google ;)

sdamon
Posts: 46
Joined: Tue Jun 07, 2005 7:28 am

Post by sdamon » Mon Jan 30, 2006 10:11 pm

[UnDeRTaKeR] wrote:the point WAS having TWO different passwd...so if an oper f*** up and
let go the passwd, it would be useless for those who could see it 'cause
they dont have the vhost...
yeah yeah, what would you do when REAL HOSTS are the same for
everyone?
vhost passwd AND oper passwd...get it?
but since this post was a very particular request, nobody paid attention,
and its fine, is the way it should be!
anyhow Matridom came up with some good propositions...
not the usual "its all your fault" and "its an useless idea"
But opering is ALREADY a tripple secure system! You not aonly haveto be ON the host specified in the oper block you haveto know the oper username, Case sensitively, and the password..also case sensitive. Leaked passwords dont mean squat...and even if they do, noone can use them anyways, unless they are on the same subnet if not same host as the oper! Your best bet is change passwords often and DONT use the opers nick as his /oper login. This is again, the MOST useless suggestion....for anything...EVER

[UnDeRTaKeR]
Posts: 84
Joined: Mon Nov 21, 2005 6:15 am
Location: Cuba

Post by [UnDeRTaKeR] » Mon Jan 30, 2006 10:21 pm

sdamon wrote:This is again, the MOST useless suggestion....for anything...EVER
wow, very helpful!
happens like I said before, I wasnt the only one with this idea,
and also happens, if that quoted statement is true, that your post is
the MOST useless post....for anything...EVER
its just math, get it?
this forums isnt about ever posting useful things or not, you came and
post here looking for help, and its just what they supporters do..help

for more info, READ the aquanight post...

for better comprehension read yourself...

or you could take a look at my avatar as well...

sdamon
Posts: 46
Joined: Tue Jun 07, 2005 7:28 am

Post by sdamon » Mon Jan 30, 2006 10:50 pm

Did you even bother reading the documentation? you MUST have inorder to encrypt your passwords. adding ANOTHER layer of false security is REALY pointless... And useless. Its realy simple. Opers connect via ssl, use encrypted passwords, and use stric hosts, NOT *@*.

and as this is a SUGGESTION, yeah...it hasto be USEFULL. so again, its a uselss suggestion, and you are a useless user.

[UnDeRTaKeR]
Posts: 84
Joined: Mon Nov 21, 2005 6:15 am
Location: Cuba

Post by [UnDeRTaKeR] » Mon Jan 30, 2006 11:03 pm

Ill not double post, just re read my last one,
is very close now this of being locked...it wont be here forever for
this use...
this post was solved already, and even so u keep it with the same...

with childish ofenses you will go far... ver far...

de la clase pata en el culo q doy si te cojo...

so, you keep looking at the avatar,

supporters:
please if someone can do a post explaining the ssl use in unreal,
that could be just fine, having some actual info...

Locked