[hybrid] password ignored?

Egbert Jan van den Bussche egbert at vandenbussche.nl
Thu Nov 17 09:08:12 EST 2011


Op 17-11-2011 12:01, martin at pola.org schreef:
> Hi,
> 
> Can you give us your class{} and auth{} blocks, in the same order as
> they appear in ircd.conf?
> 
> - Martin
> 
> 
> On Thu, 17 Nov 2011 10:54:24 +0100, Egbert Jan van den Bussche wrote:
>> Hi, first post here. I'm playing with ircd-hybrid om a 10.04LTS  server
>> for internal use by the sysops who are using mostly ChatZilla from home.
>>
>> The ircd version is 7.2.2 installed from source because we want to use
>> SSL/TLS sessions. That seems not enabled in the standard packet in the
>> Ubuntu repo. On top of that we would like to have passwords enforced.
>>
>> I kept the config mostly standard and just added the sysop users in the
>> first "auth" block. This block seems to place the authorized users in
>> "opers" class. When I place a line "password =" in this auth block, I
>> would expect that the user has to give a the password. Not. He can login
>> as before and does not need to give a password.
>>
>> When I login as an unknown user (and thus go thru the third auth block),
>> the password IS enforced when a I place a password line in there.
>>
>> Is this normal behaviour? The doc (well.. what I could find and what is
>> in the examples) does not help too much.
>>
>> Thanks for any advice!
>> Egbert Jan, NL
> 

The config is the config that was installed. Order is not changed. /oper
functions fine for my account.

Here we go...

/* class {}: contain information about classes for users (OLD Y:) */
class {
        /* name: the name of the class.  classes are text now */
        name = "users";

        /* ping time: how often a client must reply to a PING from the
         * server before they are dropped.
         */
        ping_time = 2 minutes;

        /* number per ip: the number of users per host
         * allowed toonnect
         */
        number_per_ip = 2;

        /* max number: the maximum number of users allowed
         *  in this class
         */
        max_number = 100;

        /* sendq: the amount of data allowed in a clients queue before
         * they are dropped.
         */
        sendq = 100 kbytes;
};

class {
        name = "restricted";
        ping_time = 1 minute 30 seconds;
        number_per_ip = 1;
        max_number = 100;
        sendq = 60kb;
};

class {
        name = "opers";
        ping_time = 5 minutes;
        number_per_ip = 10;
        max_number = 100;
        sendq = 100kbytes;
};

class {
        name = "server";
        ping_time = 5 minutes;

        /* connectfreq: only used in server classes.
         *  specifies the delay
         * between autoconnecting to servers.
         */
        connectfreq = 5 minutes;

        /* max number: the amount of servers to autoconnect to */
        max_number = 1;

        /* sendq: servers need a higher sendq as they send more data */
        sendq=2 megabytes;
};

/* auth {}: allow users to connect to the ircd (OLD I:) */
auth {
        /*
         * user: the user at host allowed to connect.  multiple IPv4/IPv6 user
         * lines are permitted per auth block.
         */
        user = "*egbert at vandenbussche.xs4all.nl"; # egbert
        user = "*chatzill at 188.142.56.12"; # Bas
        user = "*@*.ziggo.nl" # Hans

        /*
         * password: an optional password that is required to use this
         * block. Seems not to work. Tried crypt too.
         */
        #password = "$1fgfgfvgjhkjhk0S2h0$wAWQCGWEZrY1pmE03sM06/";

        /*
         * encrypted: controls whether the auth password above has been
         * encrypted. Tried on and off
         */
        #encrypted = yes;

        /*
         * spoof: fake the users host to this.  This is free-form,
         * just do everyone a favor and doni't abuse it.
         * ('=' prefix on /stats I)
         */
        #spoof = "I.still.hate.packets";

        /* class: the class the user is placed in */
        class = "opers";

        /*
         * need_password: don't allow users who haven't supplied
         *                the correct
         *                password to connect using another auth{} block
         *                ('&' prefix on /stats I if disabled)
         * need_ident:    require the user to have identd to connect
         *                ('+' prefix on /stats I)
         * spoof_notice:  enable spoofing notification to admins
         * exceed_limit:  allow a user to exceed class limits
         *                ('>' prefix on /stats I)
         * kline_exempt:  exempt this user from k/glines ('^' prefix on
         *                /stats I)
         * gline_exempt:  exempt this user from glines ('_' prefix
         *                on /stats I)
         * resv_exempt:   exempt this user from resvs ('$' prefix on
         *                /stats I)
         * no_tilde:      remove ~ from a user with no ident ('-'
         *                prefix on /stats I)
         * can_flood:     allow this user to exceed flood limits ('|'
         *                prefix on /stats I)
         * can_idle:      exempt this user from idle restrictions ('<'
         *                prefix on /stats I)
         */
        flags = need_password, ~need_ident, spoof_notice, exceed_limit,
                kline_exempt, gline_exempt, resv_exempt, no_tilde,
                can_flood, can_idle;
};

#auth {
#       /*
#        *redirect: the server and port to redirect a user to.  A user does
#        * not have to obey the redirection, the ircd just suggests to them
#        * an alternative server.
#        */
#       redirserv = "irc.at.the.edge.of.earth";
#       redirport = 6667;
#
#       /* hostmask user has to match to receive redirection */
#       user = "*.on.mars";
#
#       /* class: a class is required even though it is not used */
#       class = "users";
#};

auth {
        /*
         * all other logins here. A password is mandatory
         */
        user = "*@*";
        class = "users";

        /* restricted: stop the client sending mode changes */
        #restricted = yes;

        /* password: an optional password that is required to use this
block */
        password = "secret-password";

        /* have ident: require the user has identd to connect (OLD I: +
flag) */
        need_ident = no;
};

/* operator {}: defines ircd operators. (OLD O:)
 * ircd-hybrid no longer supports local operators, privileges are
 * controlled via flags.
 */
operator {
        /* name: the name of the oper */
        name = "egbert";

        /* user: the user at host required for this operator.  CIDR is not
         * supported.  multiple user="" lines are supported.
         user = "egbert at vandenbussche.xs4all.nl"; # Egbert

        /* password: the password required to oper.  By default this
         * will
         * need to be encrypted using '/usr/bin/mkpasswd'.
         * WARNING: Please do not mix up the 'mkpasswd' program from
         * /usr/sbin with this one. If you are root, typing 'mkpasswd'
         * will run that one instead and you will receive a strange
         * error.
         *
         * MD5 is supported. If you want to use it, use mkpasswd -Hmd5.
         */
        password = "$1$v2QCGWEZrY1pmE03sM06/";

        /* rsa key: the public key for this oper when using Challenge.
         * A password should not be defined when this is used, see
         * doc/challenge.txt for more information.
         */
        #rsa_public_key_file = "/usr/local/ircd/etc/oper.pub";

        /* class: the class the oper joins when they successfully /oper */
        class = "opers";

        /* privileges: controls the activities and commands an oper are
         * allowed to do on the server.  All options default to no.
         * Available options:
         *
         * global_kill:  allows remote users to be /KILL'd (OLD 'O' flag)
         * remote:       allows remote SQUIT and CONNECT   (OLD 'R' flag)
         * kline:        allows KILL, KLINE and DLINE      (OLD 'K' flag)
         * unkline:      allows UNKLINE and UNDLINE        (OLD 'U' flag)
         * gline:        allows GLINE                      (OLD 'G' flag)
         * nick_changes: allows oper to see nickchanges    (OLD 'N' flag)
         *               via usermode +n
         * rehash:       allows oper to REHASH config      (OLD 'H' flag)
         * die:          allows DIE and RESTART            (OLD 'D' flag)
         * admin:        gives admin privileges.  admins
         *               may (un)load modules and see the
         *               real IPs of servers.
         */
        global_kill = yes;
        remote = yes;
        kline = yes;
        unkline = yes;
        gline = yes;
        nick_changes = yes;
        rehash = yes;
        die = yes;
        admin = yes;
};

Thanks
Egbert Jan



More information about the hybrid mailing list