The idea is very much the same as the functional that exists for opers, but for regular users.
The module would make use of a configuration file that would then be loaded by unrealircd.conf much like, lets say:
https://unrealircd.org/docs/Ban_version_block and could be called certfp_logins.conf
The ban version block allows you to ban a client based on the IRC client software they use.
But in this case it would allow or deny based on client certificate fingerprint.
By default this module could work with set::ssl::options::fail-if-no-clientcert
https://www.unrealircd.org/docs/Set_blo ... clientcert
The configurable block could be:
Code: Select all
user {
nickname "mynick1"
password "E7:4D:46:F1:9F:F4:68:F5:E8:E3:49:CC:28:5D:F9:65:85:BA:4F:16:B6:49:02:E3:34:E6:E7:6A:FE:76:A7:98" { sslclientcertfp; };
action "deny"; # valid options: allow, deny
verify "no"; # options yes|no
reason "You are not allowed to connect to this server without an approved client certFP";
};
All allowed users would have their nick+certFP specified in a file for the certFP block. (certfp_logins.conf)
This file will obviously grow as the user count increases.
Once the module is loaded, the irc admin is notified about it's activeness and directed to configure it.
Once loaded the default will act in compliance with fail-if-no-clientcert and if it is set or not, but once the config file gets one configured user then the policy would be deny, allow.
If the client does not have a cert fingerprint, the module should notify the client that it needs to connect with a an ssl certificate and provide the server admin with a fingerprint.
If the client has a certificate fingerprint, then the module will act just according with the module permissions and allow based on previously added certFP.
This module should work in compliance with fail-if-no-clientcert and in a certain way it could be an enhanced version of it.
Also note that the intention is not to make use of services for this operation.
Thoughts?