[REQUEST] User CertFP logins

Need a module converted from 3.2.x to UnrealIRCd 4? Or looking for a certain module? Ask here.

Moderators: Gottem, Supporters

Post Reply
HeXiLeD
Posts: 40
Joined: Mon Jan 16, 2017 8:07 pm
Location: online

[REQUEST] User CertFP logins

Post by HeXiLeD » Tue Jul 09, 2019 2:12 am

Much like Oper by SSL Client certificates, some of us would like a module that allowed user connection by Client certificates FP.

The idea is very much the same as the functional that exists for opers, but for regular users.

The module would make use of a configuration file that would then be loaded by unrealircd.conf much like, lets say:
https://unrealircd.org/docs/Ban_version_block and could be called certfp_logins.conf

The ban version block allows you to ban a client based on the IRC client software they use.

But in this case it would allow or deny based on client certificate fingerprint.

By default this module could work with set::ssl::options::fail-if-no-clientcert
https://www.unrealircd.org/docs/Set_blo ... clientcert

The configurable block could be:

Code: Select all

 user {
     nickname "mynick1"
     password "E7:4D:46:F1:9F:F4:68:F5:E8:E3:49:CC:28:5D:F9:65:85:BA:4F:16:B6:49:02:E3:34:E6:E7:6A:FE:76:A7:98" { sslclientcertfp; };
     action "deny"; # valid options: allow, deny
     verify "no"; # options yes|no
     reason "You are not allowed to connect to this server without an approved client certFP";
};
Notes:

All allowed users would have their nick+certFP specified in a file for the certFP block. (certfp_logins.conf)
This file will obviously grow as the user count increases.
Once the module is loaded, the irc admin is notified about it's activeness and directed to configure it.
Once loaded the default will act in compliance with fail-if-no-clientcert and if it is set or not, but once the config file gets one configured user then the policy would be deny, allow.

If the client does not have a cert fingerprint, the module should notify the client that it needs to connect with a an ssl certificate and provide the server admin with a fingerprint.

If the client has a certificate fingerprint, then the module will act just according with the module permissions and allow based on previously added certFP.

This module should work in compliance with fail-if-no-clientcert and in a certain way it could be an enhanced version of it.

Also note that the intention is not to make use of services for this operation.

Thoughts?
Constructive criticism leads to evolution and progress. Negative criticism leads to obsolescence. We are not in the 90's IRC world anymore.
CertFP: d985d21f89fe2977b593c4d381a1a86802e62990d9328d893db76d59f9935244

Post Reply