/[svn]/ircd-hybrid-8/doc/challenge.txt
ViewVC logotype

Contents of /ircd-hybrid-8/doc/challenge.txt

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1336 - (show annotations)
Sun Apr 1 18:23:29 2012 UTC (8 years, 5 months ago) by michael
File MIME type: text/plain
File size: 9592 byte(s)
- Update documents, remove outdated ones

1 Oper Challenge and Response System
2
3 $Id$
4
5 Copyright (c) 2001-2012 by ircd-hybrid team
6
7 ----------------------------------------------------------------------
8
9 ircd-hybrid
10
11 In an effort to reduce the damage caused to a network by a hacked O-line,
12 Hybrid supports an OpenSSL based challenge-response system. This new
13 system allows the admin to remove all oper block passwords from the conf
14 file. Authentication is done through a public/private key.
15
16 ----------------------------------------------------------------------
17
18 Requirements
19
20 The ircd must be compiled with the --enable-openssl option to configure.
21 If configure detects a working openssl library, --enable-openssl is
22 implicitly enabled.
23
24 oper {} blocks should not have normal passwords, but should contain the
25 the name of the private key file. However it is possible for the user to
26 use both challenge and normal passwords, but this would defeat the purpose
27 of the challenge system.
28
29 m_challenge.la must be loaded.
30
31 The oper has their private key file and an implementation of the RSA
32 Respond tool available to be run.
33
34 ----------------------------------------------------------------------
35
36 Process
37
38 Each oper should have a private key file and a public key file. The keys
39 can be generated with the mkkeypair utility provided in tools/.
40
41 The oper keeps their private key file in a safe place, and gives their
42 public key file to their admin(s).
43
44 The admin will place an entry for the public key file into a field called
45 rsa_public_key_file of each oper's oper {} block in the conf file.
46
47 The oper wishes to obtain their operator status, and issues the CHALLENGE
48 command.
49
50 The server will print out a long hexadecimal string, that needs to be fed
51 to the respond utility provided in tools/rsa_respond.
52
53 The respond program will generate an answer that is fed back to the
54 CHALLENGE command.
55
56 ----------------------------------------------------------------------
57
58 Generating the Key Files
59
60 The keys can be generated with the openssl command as follows:
61
62 openssl genrsa -des3(1) -out rsa.key 1024(2)
63 openssl rsa -in rsa.key -pubout -out rsa.pub
64
65
66 (1)
67 The -des3 must be included in order to create a key with a
68 passphrase. Omitting this option will create a non protected key.
69 (2)
70 The key size must be 1024 or below. The challenge sent for a
71 longer keysize will be too long to fit into the ircd's 512 byte
72 line constraint.
73
74 It is highly recommended that you set a password on your private key.
75
76 The tools/mkkeypair utility cannot be used to create a key suitable for
77 use in CHALLENGE.
78
79 ----------------------------------------------------------------------
80
81 Using CHALLENGE and respond
82
83 Note: All examples assume the use of the stock respond client included
84 with the ircd-hybrid-8 source, run on a UNIX(c) platform.
85
86 The administrator of the server you oper on should remove the password in
87 your oper {} block and replace it with an entry for your public key, so
88 that /oper will be disabled.
89
90 Note: The public key is a VERY long string.
91
92 The oper will issue /challenge oper_nick, and see something like below:
93
94 *** 56F1FDAE4C590C524CF758917E62C2A2A1376CB9C4C2E7D411BB0AD9C4A
95 605A2D05A94E7254197E9D71438B5FB565B6FD35465E462305F35F4A2D45311
96 F983B3E062F635912FA155B4B1E18EAA782CC107F4C9DA83092658D16A2E88A
97 6BCF9820F5A044A29CDD4C062F05BF509CA3B561375CBC4179BD1CF6026BDE9
98 60E52C6B
99
100 Note: The challenge is all on one line.
101
102 Note: With some clients, the oper will have to issue /quote CHALLENGE
103 instead of /challenge.
104
105 The oper will then have to feed that challenge to the respond program.
106
107 +------------------------------------------------------------------+
108 | The respond utility's syntax is: |
109 | |
110 |$ ./respond private_key_file challenge_from_server |
111 | |
112 | |
113 | Example: |
114 | |
115 |wcampbel@botbay (rsa_respond): ./respond hwy.key \ |
116 |56F1FDAE4C590C524CF758917E62C2A2A1376CB9C4C2E7D411BB0AD9C4A605A2D0|
117 |5A94E7254197E9D71438B5FB565B6FD35465E462305F35F4A2D45311F983B3E062|
118 |F635912FA155B4B1E18EAA782CC107F4C9DA83092658D16A2E88A6BCF9820F5A04|
119 |4A29CDD4C062F05BF509CA3B561375CBC4179BD1CF6026BDE960E52C6B |
120 |Keyphrase: |
121 |6B882932DD00F86123869E401F7334B9B0D0018A60F1DE244E90E47246AA87C7 |
122 | |
123 | Note: The challenge parameter must be on one line. |
124 +------------------------------------------------------------------+
125
126 The keyphrase must be entered properly to get the response. The bottom
127 line is the response that must be sent back to the server.
128
129 The oper will issue the following command in order to obtain operator
130 status:
131
132 /challenge
133 +6B882932DD00F86123869E401F7334B9B0D0018A60F1DE244E90E47246AA87C7
134
135 Note: The '+' is needed
136
137 If successful, the oper will obtain operator status on the server.
138
139 +------------------------------------------------------------------------+
140 | Warning |
141 |------------------------------------------------------------------------|
142 | If the CHALLENGE fails, and you use ircII, EPIC, or BX, you may get |
143 | disconnected with the client asking for the server password. This is a |
144 | client bug, not an ircd bug. |
145 +------------------------------------------------------------------------+
146
147 ----------------------------------------------------------------------
148
149 RSA Respond Tool
150
151 The RSA Respond tool is a vital part of challenge/response system. In
152 order to function, the operator must have must have a way to quickly issue
153 the respond command, and to copy and paste data to and from the IRC
154 client.
155
156 The respond source code is included with the ircd-hybrid source, in the
157 tools/rsa_respond directory.
158
159 A copy of the source tar file is available on
160 http://www.wohmart.com/ircd/pub/irc_tools/rsa/rsa_respond-src-hyb7.tar.gz
161
162 For Windows platforms, there are two available RSA Respond tools. One is a
163 text only port of the stock tool. The binary is available from
164 http://www.wohmart.com/ircd/pub/irc_tools/rsa/rsa_respond-bin.tar.gz.
165 The other tool is a GUI enabled version[3]. The source tree[4] is available
166 from http://www.wohmart.com/ircd/pub/irc_tools/rsa/winrespond-src.tar.gz.
167 A binary distribution is available from
168 http://www.wohmart.com/ircd/pub/irc_tools/rsa/winrespond-bin.tar.gz.
169
170 With the appropriate version of the RSA Respond tool, any operator can
171 protect their privileged access to the server, with little additional
172 effort over using standard operator passwords.
173
174 ----------------------------------------------------------------------
175
176 Benefits
177
178 The greatest benefit of using the challenge/response system is that there
179 are no passwords sent over the network in plaintext. There are also no
180 credentials left on the server side, as only public keys are kept in the
181 conf. The use of public/private key encryption provides far greater
182 security over having a single password, and may (if the key is kept
183 secure, and has a good passphrase) virtually eliminate hacked O-lines.
184
185 ----------------------------------------------------------------------
186
187 A. Numerics
188
189 :server 381 user :You have entered... the Twilight Zone!.
190 :server 386 user :challenge-text
191 :server 464 user :Password Incorrect
192 :server 491 user :Only few of mere mortals may try to enter the twilight zone
193
194
195 Note: The text used can be changed by the server administrator.
196
197 ----------------------------------------------------------------------
198
199 B. Scripting
200
201 The following script is for EPIC 4 only. It was written by Greg Prosser,
202 xyst <gregp@blackened.net>.
203
204 Please note that passphrase protected keys cannot be used in conjunction
205 with this script.
206
207 The script is called challenge.irc and sits in contrib/. Please review
208 it for more details.
209
210 ----------------------------------------------------------------------
211
212 Notes
213
214 [1] Some platforms may require Makefile changes in order to link in the
215 OpenSSL library. This may change in the future.
216 [2] Platforms known to function include: Linux, FreeBSD, Solaris, and
217 Cygwin.
218 [3] A screenshot of the program is available on
219 http://www.wohmart.com/ircd/pub/irc_tools/rsa/winrespond.png .
220 [4] The winrespond source depends on a working, up to date, Cygwin
221 installation.

Properties

Name Value
svn:eol-style native
svn:keywords Id Revision

svnadmin@ircd-hybrid.org
ViewVC Help
Powered by ViewVC 1.1.28