October 2014 - ngIRCd Users

Re: [ngIRCd-ML] Fixing site influence on testsuite success
by Christoph Biedl 22 Oct '14

22 Oct '14

[ something ate my message, second try ] Hello, there's a longstanding issue in ngircd, at least on (Debian) Linux using glibc: Some tests in src/festsuite rely on a certain order of the entries in /etc/hosts. Appearently the first entry that points to 127.0.0.1 is returned when getnameinfo, same for gethostbyaddr, is called for that IP address. Up to three tests (misc, who, whois) assume the result is or begins with "localhost", and will fail otherwise. This usually happens if the administrator of the site where ngircd is built has decided to have an entry about the host name at the first place in /etc/hosts. Now I'm not aware whether there's a rule about this at all. And even if, it is violated that often I'd call it a bad idea to try educating users. Instead, ngircd should work around it. Two ways I can think of: Before running the tests, call getnameinfo on 127.0.0.1 and patch any non-"localhost*" result into the expect files. This looks kludgy, especially since some tests use pattern matching like in 'send "who ??cal*ho*\r"'. So after a few hours of trying, a second idea: Enhance ngircd's resolver to resolve 127.0.0.1 into "localhost" no matter what. To avoid surprises, this should be controllable by another command line option. Using LD_PRELOAD during the tests was a variant. Thoughts? Christoph

1 3

Patch to Disable SSLv3 (POODLE)
by lists＠packetmail.net 16 Oct '14

16 Oct '14

Hello, some time ago I had created some patches for a specific cipher list with ngircd. In reference to the SSLv3 issue (POODLE) the below patch also addresses this issue. The key is just adding "SSL_OP_NO_SSLv3" to the SSL_CTX_set_options function. --- /backup/archives/system_101514/root/src/ngircd-22/src/ngircd/conn-ssl.c 2014-10-13 09:57:54.000000000 -0500 +++ ./src/ngircd/conn-ssl.c 2014-10-15 09:35:23.000000000 -0500 @@ -324,7 +324,8 @@ Log(LOG_INFO, "Successfully applied SSL CipherList=%s", "EDH+aRSA:!SSLv2:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"); } - SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2); + /* NCF, Oct 15 2014, Disable SSLv3 (POODLE) */ + SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); SSL_CTX_set_mode(newctx, SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_verify(newctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, Verify_openssl); Cheers, Nathan

3 5

ngIRCd 22~rc1
by Alexander Barton 11 Oct '14

11 Oct '14

Hello again! I tagged the first release candidate for our upcoming next „feature release“ of ngIRCd today: ngIRCd Release 22~rc1. There have been more than 100 individual commits since ngIRCd 21, the NEWS file lists 20 new „features“, please pick your favorite yourself: • Sync "except lists" between servers: Up to now, ban, invite, and G-Line lists have been synced between servers while linking -- but obviously nobody noticed that except list have been missing ever since. Until now. Thanks to "j4jackj", who reported this issue in #ngircd. • Allow longer user names (up to 63 characters) for authentication. • Increase MAX_SERVERS from 16 to 64: There are installations out there that would like to configure more than 16 links per server, so increase this limit. Best would be to get rid of MAX_SERVERS altogether and make if fully dynamic, but start with this quick and dirty hack ... • Test suite/platformtest.sh: Detect when tests have been skipped. • Allow "DefaultUserModes" to set all possible modes, including modes only settable by IRC Operators. • Implement user mode "F": "relaxed flood protection". Clients with mode "F" set are allowed to rapidly send data to the daemon. This mode is only settable by IRC Operators and can cause problems in the network -- so be careful and only set it on "trusted" clients! User mode "F" is used by Bahamut for this purpose, for example. • Use server password when PAM is compiled in but disabled. • Streamline punctuation of log messages. • Return ISUPPORT(005) numerics on "VERSION". This is how ircd-seven, Charybdis, Hybrid, and InspIRCd behave, for example. • configure: Only link "contrib/Debian" if it exists, which isn't the case on "VPATH builds", for example. • Show the account name in WHOIS. This uses the same numeric as Charybdis and ircu families: WHOISLOGGEDIN(330). • Pattern matching: Remove "range matching" in our pattern matching code using the "[...]" syntax, because [ and ] are valid characters in nick names and one has to quote them currently using the "\" character, which is quite unexpected for users. • platformtest.sh: New option "-x", don't regenerate build system and allow using separate source and build trees. • Test suite: explicitly enable glibc memory checking. • Make "MODE -k" handling more robust and compatible, send "fake '*' key" in all replies. • portabtest: Actually test the functions snprintf(), strlcpy(), strlcat(), and vsnprintf() for correctness, not only existence (which was quite useless, because if they weren't available, the program could not have been linked at all ...). • Implement new configuration option "Network": it is used to set the (completely optional) "network name", to which this instance of the daemon belongs. When set, this name is used in the ISUPPORT(005) numeric which is sent to all clients connecting to the server after logging in. • Update doc/Platforms.txt. • Various code cleanups, remove unused code, streamline error handling. Remove all imp.h and exp.h header files, support non-standard vsnprintf() return codes, and fix some K&R C portability issues. Streamline DEBUG_ARRAY, DEBUG_BUFFER, DEBUG_IO, DEBUG_ZIP definitions. • Increase penalty time to 10 seconds when handling OPER commands with an invalid password. Please test this release candidate thoroughly and report all glitches, problems, errors, and regressions you encounter! Best is to file bugs and feature requests here: ngIRCd Bug Tracker: <http://ngircd.barton.de/bugzilla/> You can find more information on our homepage at <http://ngircd.barton.de/> and its mirror <http://http://ngircd.mirror.3rz.org/>. The primary download locations is: • <http://ngircd.barton.de/pub/ngircd/> And as usual: a big THANKS to all users, bug reporters, contributors, packagers, and supporters! Have fun! Alex

1 1

Re: [ngIRCd-ML] Feld "Benutzername" soll nicht den wahren Benutzernamen des Host-OS-Kontos eines jeden Besuchers anzeigen
by Max Rieger 04 Oct '14

04 Oct '14

Am 04.10.2014 um 19:07 schrieb Götz Hoffart: > Am 04.10.2014 um 18:32 schrieb Max Rieger <root(a)dynamic-port.net>: > >> When i write in an new line "CloakUserToNick = secret", save the file and reload/restart the IRC-Server, i can not see an change at field "Benutzername" (for english: Username. But not Nickname!) at my User-Entry in IRC-Client and at every another Users. > The setting for that is 'yes' or 'no', not 'secret'. After setting this you must HUP or restart ngIRCd. > > Did you see/read that the setting of the username is done by the IRC client? You can change it there. > >> Before i check for change, i have me logout from my IRC-Channel and login again. And value-set "yes" is that self, why "no". > I don’t understand these two sentences, sorry. > > Regards > Götz Before i write to this ML, i have it check with "CloakUserToNick = yes" and "CloakUserToNick = no". To this time i have not see an change but now can sea an change. Thanks! rfnddh4imk2rst7w.onion

1 0

Feld "Benutzername" soll nicht den wahren Benutzernamen des Host-OS-Kontos eines jeden Besuchers anzeigen
by Max Rieger 04 Oct '14

04 Oct '14

Hallo! Ich wusste nicht, dass es bei IRC üblich ist den echten Benutzernamen, mit dem man sich beim eigenen Betriebssystem angemeldet hat, mit zu übertragen und gar für Besucher anzuzeigen. Für mich und die Besucher stellt das ein Sicherheitsproblem dar. Mit "CloakHost" kann ich das Problem nicht beheben - dass wurde mir als Lösung aus dem IRC-Raum "ngircd" des Servers "irc.barton.de" genannt, vermeintliche Lösung also. Der Wert zu "Benutzername" wird sicherlich nicht zur Identifikation vom IRC-Server gebraucht, weder noch unter einander oder liege ich da falsch? Weil selbst wenn, könnte man ja wenigstens dafür sorgen, dass jeder sich anmeldende Besucher stattdessen einen zufälligen Zeichensalat für "Benutzername" bekommt, der nur bis zum wieder abmelden und Time-out gilt. Ich bitte um eine schnelle Lösung. Danke!

2 2