[REQUEST] User CertFP logins

Looking for a module? Or want to see one converted to 6.x?

Moderator: Supporters

Post Reply
HeXiLeD
Posts: 51
Joined: Mon Jan 16, 2017 8:07 pm
Location: online

[REQUEST] User CertFP logins

Post by HeXiLeD »

Much like Oper by SSL Client certificates, some of us would like a module that allowed user connection by Client certificates FP.

The idea is very much the same as the functional that exists for opers, but for regular users.

The module would make use of a configuration file that would then be loaded by unrealircd.conf much like, lets say:
https://unrealircd.org/docs/Ban_version_block and could be called certfp_logins.conf

The ban version block allows you to ban a client based on the IRC client software they use.

But in this case it would allow or deny based on client certificate fingerprint.

By default this module could work with set::ssl::options::fail-if-no-clientcert
https://www.unrealircd.org/docs/Set_blo ... clientcert

The configurable block could be:

Code: Select all

 user {
     nickname "mynick1"
     password "E7:4D:46:F1:9F:F4:68:F5:E8:E3:49:CC:28:5D:F9:65:85:BA:4F:16:B6:49:02:E3:34:E6:E7:6A:FE:76:A7:98" { sslclientcertfp; };
     action "deny"; # valid options: allow, deny
     verify "no"; # options yes|no
     reason "You are not allowed to connect to this server without an approved client certFP";
};
Notes:

All allowed users would have their nick+certFP specified in a file for the certFP block. (certfp_logins.conf)
This file will obviously grow as the user count increases.
Once the module is loaded, the irc admin is notified about it's activeness and directed to configure it.
Once loaded the default will act in compliance with fail-if-no-clientcert and if it is set or not, but once the config file gets one configured user then the policy would be deny, allow.

If the client does not have a cert fingerprint, the module should notify the client that it needs to connect with a an ssl certificate and provide the server admin with a fingerprint.

If the client has a certificate fingerprint, then the module will act just according with the module permissions and allow based on previously added certFP.

This module should work in compliance with fail-if-no-clientcert and in a certain way it could be an enhanced version of it.

Also note that the intention is not to make use of services for this operation.

Thoughts?
Constructive criticism leads to evolution and progress. Negative criticism leads to obsolescence. We are not in the 90's IRC world anymore.
CertFP: d985d21f89fe2977b593c4d381a1a86802e62990d9328d893db76d59f9935244
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: [REQUEST] User CertFP logins

Post by Syzop »

First thing that comes to mind if using services to keep a record of what user has what TLS certificate and then allow only SASL EXTERNAL (authenticate by certificate). And make your server only allow SASL only connections via https://www.unrealircd.org/docs/Require ... tion_block for mask *.

BUT.. as you said.. you want to do without services :)
Possibly my new feature (in git, for 5.0.2) would be handy: https://www.unrealircd.org/docs/Extended_server_bans
Then you can use GLINE and ELINE to deny/allow users based on certificate fingerprint.
I still need to update the code to make it work in the configuration file as well (within the next 3 days, possibly today).

This does exempt those users from server bans, though, as ELINE is meant for adding trusted users like IRCOps and trusted bots. So it might not be entirely what you want, depending on your network/users/purpose.
Post Reply