[hybrid] password ignored?
Egbert Jan van den Bussche
egbert at vandenbussche.nl
Thu Nov 17 09:08:12 EST 2011
Op 17-11-2011 12:01, martin at pola.org schreef:
> Hi,
>
> Can you give us your class{} and auth{} blocks, in the same order as
> they appear in ircd.conf?
>
> - Martin
>
>
> On Thu, 17 Nov 2011 10:54:24 +0100, Egbert Jan van den Bussche wrote:
>> Hi, first post here. I'm playing with ircd-hybrid om a 10.04LTS server
>> for internal use by the sysops who are using mostly ChatZilla from home.
>>
>> The ircd version is 7.2.2 installed from source because we want to use
>> SSL/TLS sessions. That seems not enabled in the standard packet in the
>> Ubuntu repo. On top of that we would like to have passwords enforced.
>>
>> I kept the config mostly standard and just added the sysop users in the
>> first "auth" block. This block seems to place the authorized users in
>> "opers" class. When I place a line "password =" in this auth block, I
>> would expect that the user has to give a the password. Not. He can login
>> as before and does not need to give a password.
>>
>> When I login as an unknown user (and thus go thru the third auth block),
>> the password IS enforced when a I place a password line in there.
>>
>> Is this normal behaviour? The doc (well.. what I could find and what is
>> in the examples) does not help too much.
>>
>> Thanks for any advice!
>> Egbert Jan, NL
>
The config is the config that was installed. Order is not changed. /oper
functions fine for my account.
Here we go...
/* class {}: contain information about classes for users (OLD Y:) */
class {
/* name: the name of the class. classes are text now */
name = "users";
/* ping time: how often a client must reply to a PING from the
* server before they are dropped.
*/
ping_time = 2 minutes;
/* number per ip: the number of users per host
* allowed toonnect
*/
number_per_ip = 2;
/* max number: the maximum number of users allowed
* in this class
*/
max_number = 100;
/* sendq: the amount of data allowed in a clients queue before
* they are dropped.
*/
sendq = 100 kbytes;
};
class {
name = "restricted";
ping_time = 1 minute 30 seconds;
number_per_ip = 1;
max_number = 100;
sendq = 60kb;
};
class {
name = "opers";
ping_time = 5 minutes;
number_per_ip = 10;
max_number = 100;
sendq = 100kbytes;
};
class {
name = "server";
ping_time = 5 minutes;
/* connectfreq: only used in server classes.
* specifies the delay
* between autoconnecting to servers.
*/
connectfreq = 5 minutes;
/* max number: the amount of servers to autoconnect to */
max_number = 1;
/* sendq: servers need a higher sendq as they send more data */
sendq=2 megabytes;
};
/* auth {}: allow users to connect to the ircd (OLD I:) */
auth {
/*
* user: the user at host allowed to connect. multiple IPv4/IPv6 user
* lines are permitted per auth block.
*/
user = "*egbert at vandenbussche.xs4all.nl"; # egbert
user = "*chatzill at 188.142.56.12"; # Bas
user = "*@*.ziggo.nl" # Hans
/*
* password: an optional password that is required to use this
* block. Seems not to work. Tried crypt too.
*/
#password = "$1fgfgfvgjhkjhk0S2h0$wAWQCGWEZrY1pmE03sM06/";
/*
* encrypted: controls whether the auth password above has been
* encrypted. Tried on and off
*/
#encrypted = yes;
/*
* spoof: fake the users host to this. This is free-form,
* just do everyone a favor and doni't abuse it.
* ('=' prefix on /stats I)
*/
#spoof = "I.still.hate.packets";
/* class: the class the user is placed in */
class = "opers";
/*
* need_password: don't allow users who haven't supplied
* the correct
* password to connect using another auth{} block
* ('&' prefix on /stats I if disabled)
* need_ident: require the user to have identd to connect
* ('+' prefix on /stats I)
* spoof_notice: enable spoofing notification to admins
* exceed_limit: allow a user to exceed class limits
* ('>' prefix on /stats I)
* kline_exempt: exempt this user from k/glines ('^' prefix on
* /stats I)
* gline_exempt: exempt this user from glines ('_' prefix
* on /stats I)
* resv_exempt: exempt this user from resvs ('$' prefix on
* /stats I)
* no_tilde: remove ~ from a user with no ident ('-'
* prefix on /stats I)
* can_flood: allow this user to exceed flood limits ('|'
* prefix on /stats I)
* can_idle: exempt this user from idle restrictions ('<'
* prefix on /stats I)
*/
flags = need_password, ~need_ident, spoof_notice, exceed_limit,
kline_exempt, gline_exempt, resv_exempt, no_tilde,
can_flood, can_idle;
};
#auth {
# /*
# *redirect: the server and port to redirect a user to. A user does
# * not have to obey the redirection, the ircd just suggests to them
# * an alternative server.
# */
# redirserv = "irc.at.the.edge.of.earth";
# redirport = 6667;
#
# /* hostmask user has to match to receive redirection */
# user = "*.on.mars";
#
# /* class: a class is required even though it is not used */
# class = "users";
#};
auth {
/*
* all other logins here. A password is mandatory
*/
user = "*@*";
class = "users";
/* restricted: stop the client sending mode changes */
#restricted = yes;
/* password: an optional password that is required to use this
block */
password = "secret-password";
/* have ident: require the user has identd to connect (OLD I: +
flag) */
need_ident = no;
};
/* operator {}: defines ircd operators. (OLD O:)
* ircd-hybrid no longer supports local operators, privileges are
* controlled via flags.
*/
operator {
/* name: the name of the oper */
name = "egbert";
/* user: the user at host required for this operator. CIDR is not
* supported. multiple user="" lines are supported.
user = "egbert at vandenbussche.xs4all.nl"; # Egbert
/* password: the password required to oper. By default this
* will
* need to be encrypted using '/usr/bin/mkpasswd'.
* WARNING: Please do not mix up the 'mkpasswd' program from
* /usr/sbin with this one. If you are root, typing 'mkpasswd'
* will run that one instead and you will receive a strange
* error.
*
* MD5 is supported. If you want to use it, use mkpasswd -Hmd5.
*/
password = "$1$v2QCGWEZrY1pmE03sM06/";
/* rsa key: the public key for this oper when using Challenge.
* A password should not be defined when this is used, see
* doc/challenge.txt for more information.
*/
#rsa_public_key_file = "/usr/local/ircd/etc/oper.pub";
/* class: the class the oper joins when they successfully /oper */
class = "opers";
/* privileges: controls the activities and commands an oper are
* allowed to do on the server. All options default to no.
* Available options:
*
* global_kill: allows remote users to be /KILL'd (OLD 'O' flag)
* remote: allows remote SQUIT and CONNECT (OLD 'R' flag)
* kline: allows KILL, KLINE and DLINE (OLD 'K' flag)
* unkline: allows UNKLINE and UNDLINE (OLD 'U' flag)
* gline: allows GLINE (OLD 'G' flag)
* nick_changes: allows oper to see nickchanges (OLD 'N' flag)
* via usermode +n
* rehash: allows oper to REHASH config (OLD 'H' flag)
* die: allows DIE and RESTART (OLD 'D' flag)
* admin: gives admin privileges. admins
* may (un)load modules and see the
* real IPs of servers.
*/
global_kill = yes;
remote = yes;
kline = yes;
unkline = yes;
gline = yes;
nick_changes = yes;
rehash = yes;
die = yes;
admin = yes;
};
Thanks
Egbert Jan
More information about the hybrid
mailing list