https://unrealircd.org/docs/Require_aut ... tion_block
https://unrealircd.org/docs/Set_block#s ... ion-prompt
https://unrealircd.org/docs/Set_block#s ... clientcert
The new authprompt module is indeed handy, but I just stumbled upon a few delicate details and perhaps with some feedback, somethings can be enhanced having in mind a few situations/configurations in consideration:
The point of using sasl/authprompt is to kinda close the server to all sorts of unwanted connections. However for such security and privacy, certFP fail-if-no-clientcert is a much better option. It's downside is not being as simple to setup on the client side and not discriminating by connection origin such has *@*.tld, *@*, etc
Given that sasl/authprompt is in a way less restrictive than certFP fail-if-no-clientcert. Anyone who has a certFP fail-if-no-clientcert enabled server may want to allow sasl/authprompt connections, while maintaining the server closed but more flexible to clients. However, both features are not compatible.
The moment a certFP fail-if-no-clientcert server is enabled, the use of sasl/authprompt makes things more complicated.
In other words, either use fail-if-no-clientcert or the authprompt feature.
Situation 3: My testing case
I connect using certFP while the server does not have fail-if-no-clientcert and allows and features sasl functionality but the moment the server admin activates authprompt requirements for my ip or in this case (127.0.0.1) localhost (since I ssh to boxes and connect locally to the ircd) or when I use TOR, the use of certFP becomes useless even tho is a much better security option.
In other words, don't use authprompt.
In the light of these situations, a few enhancements could be looked into:
Require authentication could now include fail-if-no-clientcert in similar fashion and allowing to specify the type of connection and or origin, such has *@*.tld, *@*, etc, with the use of certFP and authprompt.
(This for example, could and should be applied by default to server admins/ircops)
Allowing fail-if-no-clientcert option to play with a mask <hostmask>; will make it much more versatile for fail-if-no-clientcert and even for clients of specific connectivity origin to be requested for a certFP.
Regardless of above proposed feature, should certFP client authentication be blocked if the server, although not having fail-if-no-clientcert enabled, decides to enable sasl/authprompt or should it allow certFP clients to bypass the sasl/authprompt auth since certFP is much more secure?
I do recognize that a spam attacker can simply make a cert for all bots and still connect, as well as it can make the same sasl login for all the bots but then in the light of enhancements a related topic is bellow:I propose that if a client is using certFP for authetication, that the server should allow the client to bypass the sasl/authprompt.
( Related: viewtopic.php?f=52&t=8745 & https://bugs.unrealircd.org/view.php?id=5002)
Right now there is an incompatibility between clients using certFP and servers using authprompt while sasl should not overide the use of certFP.
Ultimately in the evolutionary chain of things, sooner or later, authentication by certFP not only is the way to go as well as it is the end goal. The use of sasl/authprompt intends only to mitigate some current issues that can be eliminated by other already default implemented methods.
Still a good feature but it should not supersede certFP possibilities and right now it should allow a certFP client to connect by default.