Page 1 of 1

[REQUEST] User CertFP logins

Posted: Tue Jul 09, 2019 2:12 am
by HeXiLeD
Much like Oper by SSL Client certificates, some of us would like a module that allowed user connection by Client certificates FP.

The idea is very much the same as the functional that exists for opers, but for regular users.

The module would make use of a configuration file that would then be loaded by unrealircd.conf much like, lets say: and could be called certfp_logins.conf

The ban version block allows you to ban a client based on the IRC client software they use.

But in this case it would allow or deny based on client certificate fingerprint.

By default this module could work with set::ssl::options::fail-if-no-clientcert ... clientcert

The configurable block could be:

Code: Select all

 user {
     nickname "mynick1"
     password "E7:4D:46:F1:9F:F4:68:F5:E8:E3:49:CC:28:5D:F9:65:85:BA:4F:16:B6:49:02:E3:34:E6:E7:6A:FE:76:A7:98" { sslclientcertfp; };
     action "deny"; # valid options: allow, deny
     verify "no"; # options yes|no
     reason "You are not allowed to connect to this server without an approved client certFP";

All allowed users would have their nick+certFP specified in a file for the certFP block. (certfp_logins.conf)
This file will obviously grow as the user count increases.
Once the module is loaded, the irc admin is notified about it's activeness and directed to configure it.
Once loaded the default will act in compliance with fail-if-no-clientcert and if it is set or not, but once the config file gets one configured user then the policy would be deny, allow.

If the client does not have a cert fingerprint, the module should notify the client that it needs to connect with a an ssl certificate and provide the server admin with a fingerprint.

If the client has a certificate fingerprint, then the module will act just according with the module permissions and allow based on previously added certFP.

This module should work in compliance with fail-if-no-clientcert and in a certain way it could be an enhanced version of it.

Also note that the intention is not to make use of services for this operation.


Re: [REQUEST] User CertFP logins

Posted: Fri Jan 10, 2020 11:11 am
by Syzop
First thing that comes to mind if using services to keep a record of what user has what TLS certificate and then allow only SASL EXTERNAL (authenticate by certificate). And make your server only allow SASL only connections via ... tion_block for mask *.

BUT.. as you said.. you want to do without services :)
Possibly my new feature (in git, for 5.0.2) would be handy:
Then you can use GLINE and ELINE to deny/allow users based on certificate fingerprint.
I still need to update the code to make it work in the configuration file as well (within the next 3 days, possibly today).

This does exempt those users from server bans, though, as ELINE is meant for adding trusted users like IRCOps and trusted bots. So it might not be entirely what you want, depending on your network/users/purpose.