Hello,
A couple of
months ago, I started searching for a well-maintained IRC server that I
could use as a basis for internal use at my organization. We are fairly
security-conscious and we needed a solid server that supported SSL and
PAM authentication. So, first - thanks for the great work you all are
doing.
We had a couple of other requirements, especially if we were
going to expose the port on an externally-accessible address. The first
was to allow only authorized connections from clients who presented a
valid SSL certificate. This is the first half of the patch. If linked
with GNUTLS, the patch will allow the admin to limit connections to
clients that present a valid cert, signed by a valid CA in the server
cert's chain of trust. It also supports revocation lists.
Second is the addition of a new caching process called
authcache. We wire up authentication through PAM and on to an one-time
password infrastructure. We chose to do this since IRC clients don't
bother trying to keep that password protected... at all.. It is even
written to the client's history files in many cases. To shorten the
window of opportunity for exposed credentials, the user enters an OTP
when authenticating. Naturally, with the manner and frequency in which
IRC clients disconnect and reconnect, entering credentials repeatedly
would be infuriating (and impossible with most clients.) Authcache
will create a token from the hash of the original IRC name, source
connection hostname/address, and if SSL is enabled, the client
certificate's hash, and store it in a table for a user-configurable
amount of time. This table is consulted when a new connection is made
and bypasses the internal authentication step if a record is found. A
user or admin directed logoff will clear the connection's entry.
Known issues...
1. Requires GNUTLS
3.x. I chose to use newer methods for CRL and verification checks. I
would like to figure out what version of GNUTLS is installed and call
the appropriate methods, but this leads me into the next item...
2. Lack of good Autoconf checks. As noted above, it requires
GNUTLS 3.x. I am sadly not familiar enough with autoconf to put
together a robust means of testing for that.
3. I have not yet written an equivalent CRL and Client cert check for libssl.
4. No changes to your unit tests. I hang my head in shame...
I
know there are a few items in that list that are solvable after some
research and fiddling (autoconf, libssl). I haven't had a chance to
fix those items yet - I hope to at some point, but who knows when. As
you can tell by the dates in the patchfile, I've been sitting on the
changes for a bit, hoping for time to get autoconf sorted out. Its been
months, so I figured I'd put the patches out there in case they are
useful in this configuration.
Again, thanks for an awesome server - I hope you find these patches as useful as I have.