pages tagged irssiFeeding the Cloudhttps://feeding.cloud.geek.nz/tags/irssi/Feeding the Cloudikiwiki2021-06-11T20:43:57ZTLS Authentication on Freenode and OFTChttps://feeding.cloud.geek.nz/posts/tls_authentication_freenode_and_oftc/
<a href="https://creativecommons.org/licenses/by-sa/4.0/">Creative Commons Attribution-ShareAlike 4.0 International License</a>
2021-06-11T20:43:57Z2017-09-09T04:50:00Z
<p>In order to easily authenticate with IRC networks such as
<a href="https://www.oftc.net/NickServ/CertFP/">OFTC</a> and
<a href="https://freenode.net/kb/answer/certfp">Freenode</a>, it is possible to use
<em>client TLS certificates</em> (also known as <em>SSL certificates</em>). In fact, it
turns out that it's very easy to setup both on <a href="https://irssi.org/">irssi</a>
and on <a href="https://wiki.znc.in/">znc</a>.</p>
<h1 id="Generate_your_TLS_certificate">Generate your TLS certificate</h1>
<p>On a machine with <a href="http://altusmetrum.org/ChaosKey/">good entropy</a>, run the
following command to create a keypair that will last for 10 years:</p>
<pre><code>openssl req -nodes -newkey rsa:2048 -keyout user.pem -x509 -days 3650 -out user.pem -subj "/CN=<your nick>"
</code></pre>
<p>Then extract your key fingerprint using this command:</p>
<pre><code>openssl x509 -sha1 -noout -fingerprint -in user.pem | sed -e 's/^.*=//;s/://g'
</code></pre>
<h1 id="Share_your_fingerprints_with_NickServ">Share your fingerprints with NickServ</h1>
<p>On each IRC network, do this:</p>
<pre><code>/msg NickServ IDENTIFY Password1!
/msg NickServ CERT ADD <your fingerprint>
</code></pre>
<p>in order to add your fingerprint to the access control list.</p>
<h1 id="Configure_ZNC">Configure ZNC</h1>
<p>To configure znc, start by putting the key in the right place:</p>
<pre><code>cp user.pem ~/.znc/users/<your nick>/networks/oftc/moddata/cert/
</code></pre>
<p>and then enable the built-in <a href="https://wiki.znc.in/Cert">cert plugin</a> for
each network in <code>~/.znc/configs/znc.conf</code>:</p>
<pre><code><Network oftc>
...
LoadModule = cert
...
</Network>
<Network freenode>
...
LoadModule = cert
...
</Network>
</code></pre>
<h1 id="Configure_irssi">Configure irssi</h1>
<p>For irssi, do the same thing but put the cert in <code>~/.irssi/user.pem</code> and
then change the OFTC entry in <code>~/.irssi/config</code> to look like this:</p>
<pre><code>{
address = "irc.oftc.net";
chatnet = "OFTC";
port = "6697";
use_tls = "yes";
tls_cert = "~/.irssi/user.pem";
tls_verify = "yes";
autoconnect = "yes";
}
</code></pre>
<p>and the Freenode one to look like this:</p>
<pre><code>{
address = "chat.freenode.net";
chatnet = "Freenode";
port = "7000";
use_tls = "yes";
tls_cert = "~/.irssi/user.pem";
tls_verify = "yes";
autoconnect = "yes";
}
</code></pre>
<p>That's it. That's all you need to replace password authentication with a
much stronger alternative.</p>
Hiding network disconnections using an IRC bouncerhttps://feeding.cloud.geek.nz/posts/hiding-network-disconnections-using-irc-bouncer/
<a href="https://creativecommons.org/licenses/by-sa/4.0/">Creative Commons Attribution-ShareAlike 4.0 International License</a>
2021-06-11T20:43:57Z2014-11-26T10:30:00Z
<p>A <a href="https://en.wikipedia.org/wiki/IRC_bouncer">bouncer</a> can be a useful tool
if you rely on <a href="https://en.wikipedia.org/wiki/Internet_Relay_Chat">IRC</a> for
team communication and instant messaging. The most common use of such a
server is to be permanently connected to IRC and to buffer messages while
your client is disconnected.</p>
<p>However, that's not what got me interested in this tool. I'm not looking for
another place where messages accumulate and wait to be processed
later. I'm much happier if people email me when I'm not around.</p>
<p>Instead, I wanted to do to <a href="http://irssi.org/">irssi</a> what
<a href="https://mosh.mit.edu">mosh</a> did to
<a href="https://en.wikipedia.org/wiki/Secure_Shell">ssh</a> clients: transparently
handle and hide temporary disconnections. Here's how I set everything up.</p>
<h2 id="Server_setup">Server setup</h2>
<p>The first step is to install <a href="http://wiki.znc.in/ZNC">znc</a>:</p>
<pre><code>apt-get install znc
</code></pre>
<p>Make sure you get the 1.0 series (in <strong>jessie or trusty</strong>, not wheezy
or precise) since it has much better <a href="http://wiki.znc.in/FAQ#Networks">multi-network support</a>.</p>
<p>Then, generate a Let's Encrypt TLS certificate for it:</p>
<pre><code>apt install certbot
certbot certonly -d irc.example.com --standalone
</code></pre>
<p>Then install the certificate in the right place:</p>
<pre><code>mkdir ~/.znc
cat /etc/letsencrypt/live/irc.example.com/privkey.pem /etc/letsencrypt/live/irc.example.com/fullchain.pem > ~/.znc/znc.pem
</code></pre>
<p>Once that's done, you're ready to create a config file for znc using the
<code>znc --makeconf</code> command, again as the same non-root user:</p>
<ul>
<li>create separate znc users if you have separate nicks on different networks</li>
<li>use your <em>nickserv password</em> as the <em>server password</em> for each network</li>
<li>enable ssl</li>
<li>say no to the <code>chansaver</code> and <code>nickserv</code> plugins</li>
</ul>
<p>Finally, open the IRC port (tcp port 6697 by default) in your firewall:</p>
<pre><code>iptables -A INPUT -p tcp --dport 6697 -j ACCEPT
</code></pre>
<h2 id="Client_setup_.28irssi.29">Client setup (irssi)</h2>
<p>On the client side, the <a href="http://wiki.znc.in/Category:Clients">official
documentation</a> covers a number of IRC
clients, but the <a href="http://wiki.znc.in/Irssi">irssi page</a> was quite sparse.</p>
<p>Here's what I used for the two networks I connect to (<code>irc.oftc.net</code>
and <code>irc.mozilla.org</code>):</p>
<pre><code>servers = (
{
address = "irc.example.com";
chatnet = "OFTC";
password = "fmarier/oftc:Passw0rd1!";
port = "6697";
use_ssl = "yes";
ssl_verify = "yes";
},
{
address = "irc.example.com";
chatnet = "Mozilla";
password = "francois/mozilla:Passw0rd1!";
port = "6697";
use_ssl = "yes";
ssl_verify = "yes";
}
);
</code></pre>
<p>Make sure that you're no longer authenticating with the <code>nickserv</code> from
within irssi. That's znc's job now.</p>
<h2 id="Wrapper_scripts">Wrapper scripts</h2>
<p>So far, this is a pretty standard znc+irssi setup. What makes it work with
my workflow is the <a href="https://github.com/fmarier/user-scripts/blob/master/irc">wrapper
script</a>
I wrote to <a href="https://github.com/fmarier/user-scripts/blob/master/znc-on">enable
znc</a>
before starting irssi and then <a href="https://github.com/fmarier/user-scripts/blob/master/znc-off">prompt to turn it
off</a>
after exiting:</p>
<pre><code>#!/bin/bash
ssh irc.example.com "pgrep znc || znc"
irssi
read -p "Terminate the bouncer? [y/N] " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]
then
ssh irc.example.com killall -sSIGINT znc
fi
</code></pre>
<p>Now, instead of typing <code>irssi</code> to start my IRC client, I use <code>irc</code>.</p>
<p>If I'm exiting irssi before commuting or because I need to reboot for a
kernel update, I keep the bouncer running. At the end of the day, I say yes
to killing the bouncer. That way, I don't have a backlog to go through when
I wake up the next day.</p>