Using RSA /challenge on Hybrid based IRCDs
The lovely folks on the Hybrid development team hacked together a way of using RSA keys for operator identification. Being that I have an interest in crypto/secure communications this appeals to me. I figured I'd post something because of the way the documents for the project are written - that is, poorly.
The official documentation can be found here.
A note on Chary 1.1 and later versions of Ratbox:
they've decided to change to Base64 encoding, and a 2048bit key as well as swapping to a custom numeric. Right now you can get the new tools at http://respond.ircd-ratbox.org/ and I'll eventually port this, but I don't want to be the maintainer of any xchat plugins...
they've decided to change to Base64 encoding, and a 2048bit key as well as swapping to a custom numeric. Right now you can get the new tools at http://respond.ircd-ratbox.org/ and I'll eventually port this, but I don't want to be the maintainer of any xchat plugins...
Abstract
1 Compile support for OpenSSL
2 Generate keypairs
3 Alter configuration
4 CHALLENGE mechanism
5 Notes
2 Generate keypairs
3 Alter configuration
4 CHALLENGE mechanism
5 Notes
Step 1: OpenSSL
If you're running a nix box without some form of SSL you should be shot. Go build OpenSSL. Now.Now that you have OpenSSL (or if you already had it like a good server admin), you can compile w/ SSL support. Most Hybrid derivitives should automatically build the challenge module if OpenSSL is detected on your machine during the configure script. Please note that the configure script is (at least on some daemons such as Charybdis) return incorrect values - that is, it will say the IRCD is built without SSL support when it really is.
To build with OpenSSL either let it detect, or
./configure --enable-openssl
And you should have a module built called m_challenge.so. Put this in your autoload dir (if your IRCD has it), or tell your IRCD to manually load it
Step 2: Generation of keys
Note: With Ratbox-based IRCDs you can't use cryptlink compatible keys - mkkeypair in tools dir of the srcYou need to generate a keypair, obviously the IRCD gets the public key and you keep the private key. There are two methods for generating keys (see note above)
1 - mkkeypair (non Ratbox)
Use the mkkeypair, which will automatically generate a 2048bit keypair
2 - use OpenSSL to generate keys
openssl genrsa -des3 -out rsa.key 1024 openssl rsa -in rsa.key -pubout -out rsa.pub
This will generate two keys, rsa.key (private) and rsa.pub (public). The -des3 means that you need a passphrase to use the key. Move rsa.pub into a directory that can be accessed by the IRCD user, rename to something appropriate (say... opername.rsa) and move the private key to wherever you intend to use it from.
Please note: these are indeed valid keypairs, so you can use them for anything else RSA does.
Step 3: ircd.conf
Add the following to your operator block:rsa_public_key_file = "/path/to/operator.rsa";
while simultaniously commenting out the password directive. This will force key-based authentication. Obviously now is a good time to rehash.
Step 4: operator usage/CHALLENGE
instead of /oper, you now use /challenge. The initial challenge will spit out a session key at you. You plug this into whichever app you're using (see notes below), and spit back the appropriate response using /challenge +string, where string is whatever your app tells you to paste. THIS MUST BE ONE LINE. A demonstration, just in case:/quote challenge kog (server spits out a long stream of characters) (I go over to winrespond, plug in the response and my key/password) /quote challenge +asdfasdfasdfasdfadsfasdfsadf welcome to the twighlight zone! blah blah blah
If you're using Xchat, you can use the scripts I've written. It's just a proof of concept right now, but it works quite nicely:
<load the module> /challenge passphrase thisismypassphrase /challenge keyfile /path/to/keyfile /challange login opername
You MUST have a passphrase - while it's possible to generate a key without one, my plugin won't deal with those. Certs without passwords should be a no-no. I suppose it IS somewhat better than no cert since the text is still encrypted... You'll have to modify that on your own (and it's rather easy...). Bear in mind that this is also a first draft, also my first Xchat plugin, so I need to figure out a way to use dialogs and store values (such as key location for networks).
Files
Notes
Windows users: there's a lovely app called "winrespond" available here, as well as both ratbox and non-ratbox compatible respond tools for nix, as well as some basic scripts.This page is CategorySecurity
