Add authtoservices module, replacing sasl/nickserv (#1494) #1496
Conversation
an-empty-string
changed the title
Codecov Report
@@ Coverage Diff @@
## master #1496 +/- ##
==========================================
- Coverage 36.87% 36.84% -0.04%
==========================================
Files 126 125 -1
Lines 30823 30875 +52
Branches 93 93
==========================================
+ Hits 11367 11376 +9
- Misses 19415 19458 +43
Partials 41 41
Continue to review full report at Codecov.
|
| @@ -0,0 +1,83 @@ | |||
| <? I18N znc-sasl ?> | |||
modules/authtoservices.cpp
Outdated
| SetArgs("<hidden>"); | ||
| } | ||
|
|
||
| if(!GetNV("NotFirstLoad").ToBool()) { |
There was a problem hiding this comment.
This module should be automatically loaded if sasl and/or nickserv was loaded before. That can be done in IRCNetwork.cpp (search for "legacy crap"). Also the migrated settings can mimic the previous settings more closely if you take into account which of those modules were loaded.
Also that could help getting rid of "NotFirstLoad" hack.
|
The most recent commits likely still have a few bugs... expect updates, but I'm about to start another busy week so it might be a while before I can get them in. |
|
502d4dd fixes an issue where the account name wouldn't properly default to the nickname during SASL authentication. That's the only problem I observed when testing this. |
an-empty-string
changed the title
| @@ -369,6 +369,21 @@ struct TOption { | |||
| void (CIRCNetwork::*pSetter)(T); | |||
| }; | |||
|
|
|||
| bool CIRCNetwork::ModuleInConfig(CConfig* pConfig, const CString& sModule) const { | |||
| VCString vsList; | |||
| bool bFound; | |||
There was a problem hiding this comment.
This is undefined behavior without = false
Compiler is free to optimize this whole function to return true;
| VCString vsList; | ||
| bool bFound; | ||
|
|
||
| pConfig->FindStringVector("loadmodule", vsList); |
There was a problem hiding this comment.
It removes all "loadmodule"s from config.
| "which will load using your [sasl] configuration. Not " | ||
| "loading [nickserv]"); | ||
| continue; | ||
| } else if (ModuleInConfig(pConfig, "authtoservices")) { |
| if (sModName == "nickserv") { | ||
| if (ModuleInConfig(pConfig, "sasl")) { | ||
| CUtils::PrintAction( | ||
| "NOTICE: [nickserv] was merged into [authtoservices], " |
There was a problem hiding this comment.
What if sasl module was loaded, but not configured - e.g. user never told sasl the password.
| PutIRC(CString::NamedFormat(GetNV("IdentifyCmd"), msValues)); | ||
| } | ||
|
|
||
| void HandleMessage(CNick& Nick, const CString& sMessage) { |
There was a problem hiding this comment.
Need a way to disable this, e.g. via additional "mechanism"
There was a problem hiding this comment.
👍, this can also be a security flaw on sasl only networks where there isn't a NickServ nick. It might be possible for a user to get sasl passwords for ZNC users (and other clients that have similar logic) because they can change their nick to NickServ and send one of messages below to get clients to send passwords to them. Some servers can offer blocking nick names out from use like NickServ and common typos, but that is relying on the server being configured correctly.
I think the spirit of what we're trying to do with #1494 / #1230 is to encourage users to use sasl over nickserv (instead of, not with) because it has many benefits, including the decrease in risks where passwords can be erroneously taken. If its not by automated tooling, even there are known impersonation attacks in the wild with bots using nicknames similar to nickserv such as nicksarv and others to trick users into sending them their passwords.
If a network offers SASL I don't think users should consider using nickserv to idenify. Even if the sasl capability is currently missing or unavailable during connection, there can be room for more sophisticated attacks where you can abuse this feature of clients while services may be offline or down for maintenance. I'd avoid the room for downgrade attacks from sasl to nickserv auth. The original sasl module also has requireauth option to disconnect if we can't authenticate before registration (providing upstream server supports capabilities).
The problem right now is that some users do not know what sasl is, and they are already familiar with nickserv and thus would setup the nickserv module instead. I would suggest that we go with an approach that allows the module to be configured to only allow sasl authentication, and if at any time the module determines it can "upgrade" from from nickserv to sasl auth, it should then set this flag so it would never downgrade without user consent. Or even as alternative to merging the modules together, make the current NickServ module fail if it detects the server supports sasl and facilitate the user on switching to the sasl module instead (and some way to continue with nickserv if the user really knows what they are doing and understands the risks). However this approach may be a bit more user hostile than people would like.
|
it's bikesheddy, but I don't know if (1) sasl doesn't depend on services, it's an ircd feature I have no really good name proposals, but i think just |
|
|
||
| public: | ||
| MODCONSTRUCTOR(CAuthToServices) { | ||
| AddCommand("Help", t_d("search"), t_d("Generate this output"), |
There was a problem hiding this comment.
Isn't there a AddHelpCommand(); function?
| true}}; | ||
|
|
||
| public: | ||
| MODCONSTRUCTOR(CAuthToServices) { |
There was a problem hiding this comment.
What about refactoring the command names to directly indicate what type of authentication it is, normally I would suggest a subcommand structure but I don't know if ZNC is capable of it
e.g.
sasl account zarthus
sasl require true
sasl password hunter2
nickserv account zarthus
nickserv password hunter2
nickserv name Themis
instead however maybe something like this makes sense
SASLAccount zarthus
SASLRequire true
SASLPassword hunter2
NSAccount zarthus
NSPassword hunter2
NSName Themis
at the moment it's not clear to me what I need to provide to configure e.g. SASL, Do I need an account? a password? How do I set a certificate path? It's also inconsistent in e.g. SaslMechanism and RequireSasl
There was a problem hiding this comment.
What's the point of unifying sasl and nickserv if all settings stay separate?
There was a problem hiding this comment.
The settings can use the same variables, but if I want to configure SASL I just want to know what I need to configure SASL, introducing more ("redundant") options for a nicer to use "API" is, to me, more beneficial than keeping it a confusing mess with 50 commands that don't follow any kind of unified pattern.
| } | ||
|
|
||
| const CString GetAccount() { | ||
| if(GetNV("Account").empty()) { |
There was a problem hiding this comment.
I'm not a fan, I'd rather it just aborts and tells the user to set an account name.
|
I realize the PR feedback here is perhaps better suited for improvement tickets in the future; I just gave thoughts where I thought they fit, in the end it's remants from the old code. |
The authtoservices module is an amalgamation of the nickserv and sasl modules. In short, it:
The first time it is loaded, it will automatically migrate configuration from the sasl module or the nickserv module (precedence is given to sasl), if available. This ensures there's an upgrade path, if we decide the best way forward is to remove the sasl/nickserv modules from the tree and have them load authtoservices instead.
Aside from a few name changes and what's described above, it functions identically to the nickserv and sasl modules.
This PR fixes #1494. This module could in theory be an external module, however, as the original issue was that nickserv and sasl have similar functionality and users often choose the wrong one, it makes sense to combine this PR with removal/redirection of those modules (so this would have to be in core).