UnrealIRCd Forums

Hello everyone.

FIrst of, i just wanted to say that the unreal team is making an excellent job in everything. So, well done unreal team.

Now then, i was wondering if someone could make a module that will let people /oper only if they are on an SSL connection. Maybe in the listen block have something like:

// Listen Block REQUIRED (Previously known as the P:Line)

listen 64.246.34.221:6667-6668 {
options {
clientsonly;
};
};

listen 64.246.34.221:6090 {
options {
clientsonly;
ssl;
opers; // <---- this addon!
};
};

So if someone connects on the normal ports, not using an SSL connection, the IRCD would deny that person to /oper.
Maybe let it open up a special ports, like opersonly;

Some of the reasons that led to this idea are:

1: Many shell providers have very unsecure boxes, leading to logging features which may be or not be known to the owners of the shell providers or the shell users themselves.

2: To avoid opers using public computers, or other computers which they do not own when using /oper. (keyloggers in webcafes for example). An example for here would be, operator1 goes to his friends house, to show off about his new oline. Friend has a keylogger installed. Due that the friend (by default) will most probably not have stunnel or any other ssl client at hand, the operator1 might just leave it, and not /oper up from that current location.

3: Users computer is infected with a backdoor, trojan, keylogger, or other means of monitoring.

Offcourse you would now say, its a matter of trust... but admit it... how many of you opers have used your /oper account from another location... just once or twice...!

Well, once is enough to jepordize the sanity of your chat server.

Anyways... i would love to hear you ideas about this.

Cheers everyone.

I can't see the usefulness of this module idea. I think it has a false sense of security. (Correct me if I'm wrong.) Here are the details:

1. You type "/oper somelogin somepass" into your IRC client while you are
connected to a server without SSL.
2. Message "OPER somelogin somepass" is sent to the other end of the
connection (to the server) in a raw form.
3. While the message is being sent, any users having access to the computers,
cables, etc. between you and the server can see this message with a sniffer
program.
4. The server receives the "OPER somelogin somepass" message and denies the
OPER command, but now it's too late, since the password was sent without
encryption.
5. You receive the denial, establish an SSL connection between the server and
resend the /oper command, but you are already too late.

Hmm, yeah. You have opened my eyes with that example.

YOUR RIGHT

Guess i'll have to try another aproach for the whole idea.

(There are many other ideas, but the key is to keep it simple for the user)

Oh well, thanx for 'killing' my idea so swiftly angrywolf :p

Cheers.

Unreal, will let you use client SSL cert to oper up though.

If I remember you just do:

password "the.client.cert" { sslclientcert; };

Then you'd do /oper nick anything-here

Wow, that's great, thanks for the idea.

hmm, very interesting. I will look it up right away.

Cheers.

How about regular changing of oper passwords?

Perhaps even an set::operpassexpire?

In my honest opinion, set::operpassexpire and things similar to it shouldn't be supported by the ircd. Changing oper passwords regularly should rather be a job for Server Administrators. If you want, you can easily write a script to generate your opers configuration which supports expiration, and run it regularly in the background (fe. with crontab). The reasons I think oper password expriation isn't worth: the ircd would have to store somewhere when an oper block was created/modified and it takes more job for the ircd to waste CPU and disk space on.

set::operpassexpire could just refuse the client from opering and to tell them to get someone to change their pass...

set::operpassexpire could just refuse the client from opering and to tell them to get someone to change their pass...

A Server Admin can do this, and requires no additional coding.

Just a regular rehash. On my server at least, those dont happen

Huh? What's this. Did you intend to post here? ;)

Well I think in addition to regular password changings you should restrict to a hostmask.

Maybe a good idea is to create a vhost for all your opers restricted to their hostmask and an oper login restricted for that vhost for an additional layer of security. Then the login would be restricted to known computers + need to know 2 usernames + 2 passwords to login.

Ops should never login in a public place IMO...

Syzop: yes I did. A server admin doing expiration like that automatically would require a regular rehash (and the script to actually expire it), something my server does not recieve. Yes I realize it could be crontabed, but it may be overlooked.

Ok.
Well, reason I asked - unless I'm blind - is that the topic was from 1.5 year ago ;).