Restrict allowed client connections / Additional whois info

These are old archives. They are kept for historic purposes only.
Post Reply
ian
Posts: 6
Joined: Sun Mar 14, 2004 9:26 pm

Restrict allowed client connections / Additional whois info

Post by ian » Thu Jul 22, 2004 3:36 pm

Hey-
First off I want to thank everyone involved for the updates to allow win32 to use dll modules!

Now for the modules / general help requests
part 1:
I'm working on an intranet project using unreal on a windows(2k) platform and what I'm wanting to do is restrict clients joining to those who have gone through the hosted(on the same server) java client. Basically i'm wanting to restrict any third party IRC applications. Conference room(what im trying to replace) has some trickery used to authenticate the client and verify it was loaded from the same server.. and I need to replicate that if at all possible. I'm currently using PJIRC ( http://www.pjirc.com/main.php ) Which is a great applet and im sure i'm going to have to tinker with it quite a bit to get the authentication going.. im just not sure how involved the unreal server is going to get in the situtation.

part 2:
I sadly had to move from apache to IIS so that i could pull NT login information to match the webpage visitor to their corporate identity- but I'm hung as what would be a good method to integrate that information so that it is available from the irc server- possibly in a /whois or the like.


Any suggestions?

Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason » Thu Jul 22, 2004 4:02 pm

Look at PJIRC's on connect commands, perhaps use one to identify to a vhost or similar? Then anyone without that vhost should be /killed
Why the hell can't my signature be empty?
"Your message contains too few characters."

Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason » Thu Jul 22, 2004 4:06 pm

Even better

PJIRC is capable of logging in to passworded IRC servers. Configure a password in the ALLOW block. Then set PJIRC to use that password

*EDIT*

Anyone can of course, read the source code and retreive the password. But if you change often enough, it will be a nusance not to use your JavaChat
Why the hell can't my signature be empty?
"Your message contains too few characters."

ian
Posts: 6
Joined: Sun Mar 14, 2004 9:26 pm

Post by ian » Thu Jul 22, 2004 7:29 pm

hmm, good idea.
I'm wondering if there's some transparent(to the user) way i could do it- I'm sure there's an advantage to having the webserver running on the same box the ircd is..

Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason » Thu Jul 22, 2004 7:34 pm

The PASSWORD method is transparent to the user, in the PJIRC readme using a password is described. It is a configuration option in the HTML

There isnt, the connection will still come from the remote box. Maybe CGI-IRC is for you (the connection will then be from 127.0.0.1 or whatever the webserver IP is. However then you cant GLINE by IP. I suppose you could still do it by user though



AFTERTHOUGHT: A mod should move this to support, it isnt really a module question
Why the hell can't my signature be empty?
"Your message contains too few characters."

ian
Posts: 6
Joined: Sun Mar 14, 2004 9:26 pm

Post by ian » Thu Jul 22, 2004 8:07 pm

If i could pass along the value which im getting of their NT domain login, then i could use that to ban/block etc and cgi-irc would work fine.

Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason » Thu Jul 22, 2004 9:44 pm

Are you using ASP or PHP or some server side scripting language?

I have never used CGI-IRC but perhaps you could configure so that their ident is their login name
Why the hell can't my signature be empty?
"Your message contains too few characters."

ian
Posts: 6
Joined: Sun Mar 14, 2004 9:26 pm

Post by ian » Fri Jul 23, 2004 3:55 pm

Using PHP on IIS now.(and missing apache :( )

I checked CGI-IRC out, it just doesnt have the flexibility i want of a java client. I will be sticking with PJIRC.

Also, ident is a bit too short for use as the nt login.. however, i think i might just stick it into a finger reply. I've got privdef running on the server, so regular users cant use any privmsg or commands, which would limit it to IRCops. Preferrably I would like to include "user login" into my /whois

Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason » Fri Jul 23, 2004 5:25 pm

All I can think of in for putting it in the whois is a vhost
Why the hell can't my signature be empty?
"Your message contains too few characters."

Theos
Posts: 7
Joined: Fri Mar 19, 2004 12:11 pm
Location: UK

Post by Theos » Sun Jul 25, 2004 5:22 pm

I created a module to add a new chmode +j which would stop people joining the channel in under X seconds of connecting (read my thread). As an afterthought, i decided to add a umode +f to which was unsettable by any user including ircops, but could only be set by logging in with a new command which had to be sent within the first 15 seconds of being connected. This +f umode allows the user to bypass the +j chmode and also adds a new whois line stating the user 'is connecting from the website' using numeric 336 (not wanting to use the swhois line).
However, to complete my task i had to edit the source codes to (a) stop it being setable by anyone at all and (b) add a new whois line. This means its completely unsupported by the unreal team. What i want to know however, is, is it possible to inject a new line into the whois reply without having to edit the source code so i can add a supportable module or would it have to override the default whois code?

If this is possible, it will help with your request too Ian.
:: Don't let your mind wander -- It may never come back ::

AngryWolf
Posts: 554
Joined: Sat Mar 06, 2004 10:53 am
Location: Hungary
Contact:

Post by AngryWolf » Sun Jul 25, 2004 6:12 pm

To complete the (a) point you don't have to edit the main source code. Both UmodeAdd and CmodeAdd allows you to deny everyone from setting the modes (in case of channel modes you do it with the is_ok member of the CmodeInfo structure).

AngryWolf
Posts: 554
Joined: Sat Mar 06, 2004 10:53 am
Location: Hungary
Contact:

Post by AngryWolf » Sun Jul 25, 2004 6:25 pm

The (b) point indeed can't be done without modifying the code of /whois or adding an override on the command, both ways are ugly.

Theos
Posts: 7
Joined: Fri Mar 19, 2004 12:11 pm
Location: UK

Post by Theos » Sun Jul 25, 2004 8:27 pm

Thanks for the reply Angrywolf. I'm against ugly methods, although the method i used was ugly too.
The problem with adding to the whois is that looking for a new umode means its looking for something that doesn't exist until the module is compiled, which will fail. This then means you have to add the umode to the initial source codes and change the whois, or duplicate the whois command in a module, overriding the whole thing with your addition in place. Both methods i didn't really want to do, but oh well, can't have everything i guess.

Maybe this could be looked at in the next module system -- a method of adding lines to the whois or other commands?
:: Don't let your mind wander -- It may never come back ::

CaliMonk

Post by CaliMonk » Mon Aug 30, 2004 8:50 am

I'm actually looking for exactly the same thing. We are moving from Conference Room to UnrealIRCd and i want to be able to forbid anyone not using my Java applet to be able to user the server.

I had planned on adding a version ban on * and then making a version ban except for my Javapplet, but i noticed there is no version ban except. The ban except itself also doesn't work for version except so thats not a way i can go i guess.

What your making now Theos, seems like something that could work, i'd love to be able to get that module, or possible a version except module. (Or the ban except to work with version bans)

Post Reply