| 1 |
Oper Challenge and Response System |
| 2 |
|
| 3 |
$Id$ |
| 4 |
|
| 5 |
Copyright (c) 2001-2012 by ircd-hybrid team |
| 6 |
|
| 7 |
---------------------------------------------------------------------- |
| 8 |
|
| 9 |
ircd-hybrid |
| 10 |
|
| 11 |
In an effort to reduce the damage caused to a network by a hacked O-line, |
| 12 |
Hybrid supports an OpenSSL based challenge-response system. This new |
| 13 |
system allows the admin to remove all oper block passwords from the conf |
| 14 |
file. Authentication is done through a public/private key. |
| 15 |
|
| 16 |
---------------------------------------------------------------------- |
| 17 |
|
| 18 |
Requirements |
| 19 |
|
| 20 |
The ircd must be compiled with the --enable-openssl option to configure. |
| 21 |
If configure detects a working openssl library, --enable-openssl is |
| 22 |
implicitly enabled. |
| 23 |
|
| 24 |
oper {} blocks should not have normal passwords, but should contain the |
| 25 |
the name of the private key file. However it is possible for the user to |
| 26 |
use both challenge and normal passwords, but this would defeat the purpose |
| 27 |
of the challenge system. |
| 28 |
|
| 29 |
m_challenge.la must be loaded. |
| 30 |
|
| 31 |
The oper has their private key file and an implementation of the RSA |
| 32 |
Respond tool available to be run. |
| 33 |
|
| 34 |
---------------------------------------------------------------------- |
| 35 |
|
| 36 |
Process |
| 37 |
|
| 38 |
Each oper should have a private key file and a public key file. The keys |
| 39 |
can be generated with the mkkeypair utility provided in tools/. |
| 40 |
|
| 41 |
The oper keeps their private key file in a safe place, and gives their |
| 42 |
public key file to their admin(s). |
| 43 |
|
| 44 |
The admin will place an entry for the public key file into a field called |
| 45 |
rsa_public_key_file of each oper's oper {} block in the conf file. |
| 46 |
|
| 47 |
The oper wishes to obtain their operator status, and issues the CHALLENGE |
| 48 |
command. |
| 49 |
|
| 50 |
The server will print out a long hexadecimal string, that needs to be fed |
| 51 |
to the respond utility provided in tools/rsa_respond. |
| 52 |
|
| 53 |
The respond program will generate an answer that is fed back to the |
| 54 |
CHALLENGE command. |
| 55 |
|
| 56 |
---------------------------------------------------------------------- |
| 57 |
|
| 58 |
Generating the Key Files |
| 59 |
|
| 60 |
The keys can be generated with the openssl command as follows: |
| 61 |
|
| 62 |
openssl genrsa -des3(1) -out rsa.key 1024(2) |
| 63 |
openssl rsa -in rsa.key -pubout -out rsa.pub |
| 64 |
|
| 65 |
|
| 66 |
(1) |
| 67 |
The -des3 must be included in order to create a key with a |
| 68 |
passphrase. Omitting this option will create a non protected key. |
| 69 |
(2) |
| 70 |
The key size must be 1024 or below. The challenge sent for a |
| 71 |
longer keysize will be too long to fit into the ircd's 512 byte |
| 72 |
line constraint. |
| 73 |
|
| 74 |
It is highly recommended that you set a password on your private key. |
| 75 |
|
| 76 |
The tools/mkkeypair utility cannot be used to create a key suitable for |
| 77 |
use in CHALLENGE. |
| 78 |
|
| 79 |
---------------------------------------------------------------------- |
| 80 |
|
| 81 |
Using CHALLENGE and respond |
| 82 |
|
| 83 |
Note: All examples assume the use of the stock respond client included |
| 84 |
with the ircd-hybrid-8 source, run on a UNIX(c) platform. |
| 85 |
|
| 86 |
The administrator of the server you oper on should remove the password in |
| 87 |
your oper {} block and replace it with an entry for your public key, so |
| 88 |
that /oper will be disabled. |
| 89 |
|
| 90 |
Note: The public key is a VERY long string. |
| 91 |
|
| 92 |
The oper will issue /challenge oper_nick, and see something like below: |
| 93 |
|
| 94 |
*** 56F1FDAE4C590C524CF758917E62C2A2A1376CB9C4C2E7D411BB0AD9C4A |
| 95 |
605A2D05A94E7254197E9D71438B5FB565B6FD35465E462305F35F4A2D45311 |
| 96 |
F983B3E062F635912FA155B4B1E18EAA782CC107F4C9DA83092658D16A2E88A |
| 97 |
6BCF9820F5A044A29CDD4C062F05BF509CA3B561375CBC4179BD1CF6026BDE9 |
| 98 |
60E52C6B |
| 99 |
|
| 100 |
Note: The challenge is all on one line. |
| 101 |
|
| 102 |
Note: With some clients, the oper will have to issue /quote CHALLENGE |
| 103 |
instead of /challenge. |
| 104 |
|
| 105 |
The oper will then have to feed that challenge to the respond program. |
| 106 |
|
| 107 |
+------------------------------------------------------------------+ |
| 108 |
| The respond utility's syntax is: | |
| 109 |
| | |
| 110 |
|$ ./respond private_key_file challenge_from_server | |
| 111 |
| | |
| 112 |
| | |
| 113 |
| Example: | |
| 114 |
| | |
| 115 |
|wcampbel@botbay (rsa_respond): ./respond hwy.key \ | |
| 116 |
|56F1FDAE4C590C524CF758917E62C2A2A1376CB9C4C2E7D411BB0AD9C4A605A2D0| |
| 117 |
|5A94E7254197E9D71438B5FB565B6FD35465E462305F35F4A2D45311F983B3E062| |
| 118 |
|F635912FA155B4B1E18EAA782CC107F4C9DA83092658D16A2E88A6BCF9820F5A04| |
| 119 |
|4A29CDD4C062F05BF509CA3B561375CBC4179BD1CF6026BDE960E52C6B | |
| 120 |
|Keyphrase: | |
| 121 |
|6B882932DD00F86123869E401F7334B9B0D0018A60F1DE244E90E47246AA87C7 | |
| 122 |
| | |
| 123 |
| Note: The challenge parameter must be on one line. | |
| 124 |
+------------------------------------------------------------------+ |
| 125 |
|
| 126 |
The keyphrase must be entered properly to get the response. The bottom |
| 127 |
line is the response that must be sent back to the server. |
| 128 |
|
| 129 |
The oper will issue the following command in order to obtain operator |
| 130 |
status: |
| 131 |
|
| 132 |
/challenge |
| 133 |
+6B882932DD00F86123869E401F7334B9B0D0018A60F1DE244E90E47246AA87C7 |
| 134 |
|
| 135 |
Note: The '+' is needed |
| 136 |
|
| 137 |
If successful, the oper will obtain operator status on the server. |
| 138 |
|
| 139 |
+------------------------------------------------------------------------+ |
| 140 |
| Warning | |
| 141 |
|------------------------------------------------------------------------| |
| 142 |
| If the CHALLENGE fails, and you use ircII, EPIC, or BX, you may get | |
| 143 |
| disconnected with the client asking for the server password. This is a | |
| 144 |
| client bug, not an ircd bug. | |
| 145 |
+------------------------------------------------------------------------+ |
| 146 |
|
| 147 |
---------------------------------------------------------------------- |
| 148 |
|
| 149 |
RSA Respond Tool |
| 150 |
|
| 151 |
The RSA Respond tool is a vital part of challenge/response system. In |
| 152 |
order to function, the operator must have must have a way to quickly issue |
| 153 |
the respond command, and to copy and paste data to and from the IRC |
| 154 |
client. |
| 155 |
|
| 156 |
The respond source code is included with the ircd-hybrid source, in the |
| 157 |
tools/rsa_respond directory. |
| 158 |
|
| 159 |
A copy of the source tar file is available on |
| 160 |
http://www.wohmart.com/ircd/pub/irc_tools/rsa/rsa_respond-src-hyb7.tar.gz |
| 161 |
|
| 162 |
For Windows platforms, there are two available RSA Respond tools. One is a |
| 163 |
text only port of the stock tool. The binary is available from |
| 164 |
http://www.wohmart.com/ircd/pub/irc_tools/rsa/rsa_respond-bin.tar.gz. |
| 165 |
The other tool is a GUI enabled version[3]. The source tree[4] is available |
| 166 |
from http://www.wohmart.com/ircd/pub/irc_tools/rsa/winrespond-src.tar.gz. |
| 167 |
A binary distribution is available from |
| 168 |
http://www.wohmart.com/ircd/pub/irc_tools/rsa/winrespond-bin.tar.gz. |
| 169 |
|
| 170 |
With the appropriate version of the RSA Respond tool, any operator can |
| 171 |
protect their privileged access to the server, with little additional |
| 172 |
effort over using standard operator passwords. |
| 173 |
|
| 174 |
---------------------------------------------------------------------- |
| 175 |
|
| 176 |
Benefits |
| 177 |
|
| 178 |
The greatest benefit of using the challenge/response system is that there |
| 179 |
are no passwords sent over the network in plaintext. There are also no |
| 180 |
credentials left on the server side, as only public keys are kept in the |
| 181 |
conf. The use of public/private key encryption provides far greater |
| 182 |
security over having a single password, and may (if the key is kept |
| 183 |
secure, and has a good passphrase) virtually eliminate hacked O-lines. |
| 184 |
|
| 185 |
---------------------------------------------------------------------- |
| 186 |
|
| 187 |
A. Numerics |
| 188 |
|
| 189 |
:server 381 user :You have entered... the Twilight Zone!. |
| 190 |
:server 386 user :challenge-text |
| 191 |
:server 464 user :Password Incorrect |
| 192 |
:server 491 user :Only few of mere mortals may try to enter the twilight zone |
| 193 |
|
| 194 |
|
| 195 |
Note: The text used can be changed by the server administrator. |
| 196 |
|
| 197 |
---------------------------------------------------------------------- |
| 198 |
|
| 199 |
B. Scripting |
| 200 |
|
| 201 |
The following script is for EPIC 4 only. It was written by Greg Prosser, |
| 202 |
xyst <gregp@blackened.net>. |
| 203 |
|
| 204 |
Please note that passphrase protected keys cannot be used in conjunction |
| 205 |
with this script. |
| 206 |
|
| 207 |
The script is called challenge.irc and sits in contrib/. Please review |
| 208 |
it for more details. |
| 209 |
|
| 210 |
---------------------------------------------------------------------- |
| 211 |
|
| 212 |
Notes |
| 213 |
|
| 214 |
[1] Some platforms may require Makefile changes in order to link in the |
| 215 |
OpenSSL library. This may change in the future. |
| 216 |
[2] Platforms known to function include: Linux, FreeBSD, Solaris, and |
| 217 |
Cygwin. |
| 218 |
[3] A screenshot of the program is available on |
| 219 |
http://www.wohmart.com/ircd/pub/irc_tools/rsa/winrespond.png . |
| 220 |
[4] The winrespond source depends on a working, up to date, Cygwin |
| 221 |
installation. |
