|
7 | 7 | | - Germany | <ircs://irc.de.hackint.org:6697> | |
8 | 8 | | - Netherlands | <ircs://irc.nl.hackint.org:6697> | |
9 | 9 |
|
10 | | -We would like to encourage you to authenticate via one of the following schemes: |
| 10 | +## Authentication |
| 11 | + |
| 12 | +We would like to encourage you to authenticate via [SASL], so you will |
| 13 | +already be authenticated before your client tries to join channels, |
| 14 | +which results in a smoother connection setup. |
11 | 15 |
|
12 | 16 | - password based (*easy*) |
13 | | - - SASL PLAIN |
14 | | -- certificate based (*moderately difficult*) |
15 | | - - SASL ECDSA-NIST256P |
16 | | - - SASL EXTERNAL |
| 17 | + - [SASL PLAIN] |
| 18 | +- certificate based (*moderately difficult*) |
| 19 | + - SASL ECDSA-NIST256P-CHALLENGE (atheme-specific) |
| 20 | + - [SASL EXTERNAL] |
17 | 21 | - CertFP |
18 | 22 |
|
19 | | -We're currently using SHA256 fingerprints for SASL External and CertFP. |
| 23 | +### Certificate Fingerprint (SASL External, CertFP) |
20 | 24 |
|
21 | | -Enrolling your fingerprint is just a matter of calling: |
| 25 | +To enroll the fingerprint of the certificate you are currently connected |
| 26 | +with call: |
22 | 27 |
|
23 | 28 | ``` |
24 | 29 | /msg NickServ cert add |
25 | 30 | ``` |
26 | 31 |
|
27 | | -This will automatically configure the fingerprint of the client |
28 | | -certificate you are currently connected with. You will now |
29 | | -automatically be identified by NickServ on every connect, when |
30 | | -you present your client certificate. |
| 32 | +Presenting the client certificate on connect will subsequently |
| 33 | +authenticate you against services. |
| 34 | + |
| 35 | +We're currently using SHA256 fingerprints for SASL External and CertFP. |
| 36 | + |
| 37 | +### Public Key (ECDSA-NIST256P-CHALLENGE) |
| 38 | + |
| 39 | +If you are planning to use ECDSA-NIST256P, generate `prime256v1` ecparams |
| 40 | +and store the public key within the services. During the connection phase |
| 41 | +a challenge-based authentication will happen. |
| 42 | + |
| 43 | +#### Generate the ecparams and retrieve the public key |
| 44 | + |
| 45 | +``` |
| 46 | +$ openssl ecparam -genkey -name prime256v1 -out ecdsa.pem |
| 47 | +$ openssl ec -noout -text -conv_form compressed -in ~/.weechat/ecdsa.pem | grep '^pub:' -A 3 | tail -n 3 | tr -d ' \n:' | xxd -r -p | base64 |
| 48 | +``` |
| 49 | + |
| 50 | +#### Configure the public key in your account |
| 51 | + |
| 52 | +``` |
| 53 | +/msg NickServ set property pubkey <pubkey> |
| 54 | +``` |
| 55 | + |
| 56 | +#### Showing your configured public key |
| 57 | + |
| 58 | +``` |
| 59 | +/msg NickServ taxonomy |
| 60 | +``` |
| 61 | + |
| 62 | +## Transports |
31 | 63 |
|
32 | 64 | Other ways to connect exist, they use transports, check the menu for that. |
| 65 | + |
| 66 | +[SASL]: https://ircv3.net/docs/sasl-mechs |
| 67 | +[SASL PLAIN]: https://tools.ietf.org/search/rfc4616 |
| 68 | +[SASL EXTERNAL]: https://tools.ietf.org/html/rfc4422#appendix-A |
0 commit comments