#79 Passthrough user's login password

closed
nobody
Engine (16)
5
2010-09-29
2010-06-13
Christian Bauer
No

My IRC server requires authentication with the IRC PASS operation, which works fine if I provide my password in cleartext in znc.conf:

<User...>
Server = myserver.local 6667 secret
</User>

This is the same password I use to connect to ZNC, which is stored in znc.conf as well but hashed. Ideally, I'd like to get rid of the clear text password here. I think ZNC should be able to simply use the connecting users password when ZNC itself connects to the server.

If that means that we can only login to the target IRC server when a user connects to ZNC (because only then will the cleartext password be available), that is probably fine. ZNC doesn't have to connect on startup, it can delay the initial outgoing connection until the first client incoming connection is made.

If ZNC is a proxy then it is probably safe to assume that both a connection to ZNC _as well_ as to the target server requires authentication. That authentication should occur at the same time so cleartext passwords do not have to be stored permanently.

Discussion

    • summary: Passthrough users's login password --> Passthrough users' login password
     
    • summary: Passthrough users' login password --> Passthrough user's login password
     
  • Might be possible as a module, I'll look into this.

    btw: nice summary tinkery :P

    psychon
    who is just too lazy to log in

     
  • Hi,

    dunno how much C++ you know, but here is my try at this.
    Attached is (or rather will hopefully be...) a global module. It has to be a global module or else it can't intercept the user's login password. For making this work, set the server password of all the users you are interested in to __PASS_THROUGH__, this will make the module pick them up.

    I doubt this module will make it into an official release. :/
    It's ugly and contains races. When two clients connect to the same znc user and one of them sends a wrong password (and thus his login fails), it's not exactly clear whether the module will work. Also, if you use auth modules like e.g. imapauth, this module is some russian roulette, too.

    psychon

     
  • Psychon
    Psychon
    2010-06-13

     
    Attachments
  • (gdb) run -f -D --datadir=/dlh/native/znc.confd
    Starting program: /Users/cb/work/server/native/znc/bin/znc -f -D --datadir=/dlh/native/znc.confd
    Reading symbols for shared libraries .++++.. done
    [ ok ] Opening Config [/dlh/native/znc.confd/configs/znc.conf]...
    [ ok ] Binding to port [+6667] using ipv4...
    [ ** ] Loading user [cb]
    [ ] Loading Module [colloquy]... Reading symbols for shared libraries . done
    [ ok ]native/znc.confd/modules/colloquy.so]
    [ ok ] Adding Server [localhost 6668 __PASS_THROUGH__]...
    [ ** ] Loading user [myuser]
    [ ok ] Loading Module [colloquy]... [/dlh/native/znc.confd/modules/colloquy.so]
    [ ] Loading Global Module [passthrough_auth]... Reading symbols for shared libraries . done
    [ ok ]native/znc/lib/znc/passthrough_auth.so]
    [ ** ] Staying open for debugging [pid: 682]
    [ ok ] Writing pid file [/dlh/run/znc.pid]...
    [ ** ] ZNC 0.090 - http://znc.sourceforge.net
    Connecting user [cb]
    User [cb] is connecting to [localhost 6668] ...
    Some module aborted the connection attempt
    (cb) ZNC -> IRC [QUIT :Quit.]

    [Connection from client follows...]

    _LISTENER == ConnectionFrom(77.57.177.178, 49476) [Allowed]
    There are [0] clients from [77.57.177.178]
    _LISTENER == ConnectionFrom(77.57.177.178, 49473) [Allowed]
    There are [1] clients from [77.57.177.178]
    (77.57.177.178) CLI -> ZNC [PASS mysecret]
    (77.57.177.178) CLI -> ZNC [PASS mysecret]
    (77.57.177.178) CLI -> ZNC [NICK myuser]
    (77.57.177.178) CLI -> ZNC [USER myuser 0 * :Christian Bauer]

    Program received signal EXC_BAD_ACCESS, Could not access memory.
    Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000010
    0x00007fff803219bf in std::string::compare ()
    (gdb) bt
    #0 0x00007fff803219bf in std::string::compare ()
    #1 0x00000001001ab08a in CPassthroughMod::OnLoginAttempt ()
    #2 0x000000010008bcd3 in CGlobalModules::OnLoginAttempt ()
    #3 0x00000001000188af in CZNC::AuthUser ()
    #4 0x0000000100065f0f in CClient::AuthUser ()
    #5 0x000000010006ba68 in CClient::ReadLine ()
    #6 0x00000001000129fa in Csock::PushBuff ()
    #7 0x000000010003ab2e in TSocketManager<CZNCSock>::Loop ()
    #8 0x000000010002f9df in CZNC::Loop ()
    #9 0x0000000100002ef4 in main ()

    It looks like a trivial problem but my C skills are underwhelming.

     
  • Psychon
    Psychon
    2010-06-18

    Whoops, changed line 56 from the first one to the second one:
    if (pServer->GetPass() != PASS)
    if (!pServer || pServer->GetPass() != PASS)

    Dunno if this is the cause, but I don't have any better idea.

     
  • Psychon
    Psychon
    2010-08-16

    • status: open --> pending
     
    • status: pending --> closed
     
  • This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).