| Age | Commit message (Collapse) | Author |
|---|
|
The new configuration option "DefaultChannelModes" lists channel modes that
become automatically set on new channels on creation.
Default: set no modes.
Closes #333.
|
|
Closes #334.
|
|
|
|
This patch provides code to validate the server certificate in
server links, defeating nasty man-in-the-middle attacks on server
links.
Features:
- Check whether the certificate is signed by a trusted certificate
authority (CA).
- Check the host name, including wildcard certificates and Subject
Alternative Names.
- Optionally check against a certificate revocation list (CRL).
- Implementation for both OpenSSL and GnuTLS linkage.
Left for another day:
- Parameterize the TLS parameter of an outbound connection. Currently,
it's hardcoded to disable all versions before TLSv1.1.
- Using certificate as CA-certificate. They work for GnuTLS only but
perhaps this should rather raise an error there, too.
- Optional OCSP checking.
- Checking client certificates. Code is there but this first needs some
consideration about the use cases. This could replace all other
authentication methods, for both client-server and server-server
connections.
This patch is based on a patch by Florian Westphal from 2009, which
implemented this for OpenSSL only:
From: Florian Westphal <fw@strlen.de>
Date: Mon, 18 May 2009 00:29:02 +0200
Subject: SSL/TLS: Add initial certificate support to OpenSSL backend
Commit message modified by Alex Barton.
Closes #120, "Server links using TLS/SSL need certificate validation".
Supersedes PR #8, "Options for verifying and requiring SSL client
certificates", which had (incomplete?) code for OpenSSL, no GnuTLS.
|
|
No longer use a default built-in value for the "IncludeDir" directive
when a configuration file was explicitly specified on the command line
using "--config"/"-f": This way no default include directory is scanned
when a possibly non-default configuration file is used which
(intentionally) did not specify an "IncludeDir" directive.
With this patch you now can use "-f /dev/null" for checking all built-in
defaults, regardless of any local configuration files in the default
drop-in directory (which would have been read in until this change).
|
|
The "Info" option in the "[Global]" section is optional (so comment it
out in the sample configuration file) and set to the server software
name and its version when not set (so add this information to the sample
configuration file and the ngircd.conf(5) manual page).
|
|
The server "Name" in the "[Global]" section of the configuration file is
optional now: When not set (or empty), ngIRCd now tries to deduce a
valid IRC server name from the local host name ("node name"), possibly
adding a ".host" extension when the host name does not contain a dot
(".") which is required in an IRC server name ("ID").
This new behaviour, with all configuration parameters now being
optional, allows running ngIRCd without any configuration file at all.
|
|
- Bring sample-ngircd.conf and ngircd.conf.5 description in line.
- Fix configuration parsing, it always showed the 'Unknown variable
"Autojoin"' error message, even when everything was perfectly fine.
- And fix a build error (at least on macOS with Apple Clang 14):
login.c:234:3: error: call to undeclared function 'IRC_JOIN'; ISO
C99 and later do not support implicit function declarations
[-Wimplicit-function-declaration]
IRC_JOIN(Client, &Req);
^
The #include for the "irc.channel.h" header was missing!
- Remove a unused variable that caused a compiler warning:
login.c:222:12: warning: unused variable 'n' [-Wunused-variable]
size_t i, n, channel_count = array_length(&Conf_Channels, sizeof(*conf_chan));
^
- Add a explicit cast to fix a compiler warning:
login.c:235:15: warning: assigning to 'char *' from 'const char[51]'
discards qualifiers [-Wincompatible-pointer-types-discards-qualifiers]
Req.argv[0] = conf_chan->name;
^ ~~~~~~~~~~~~~~~
|
|
|
|
No longer mention "[Channel]->Key" and "[Channel]->MaxUsers".
|
|
Spotted by Étienne Mollier <etienne.mollier@mailoo.org> and Christoph
Biedl <debian.axhn@manchmal.in-ulm.de>, see Debian bug #932462
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932462). Thank you!
|
|
The max length is actually 126 (< 127), since the check errors out if
length >= 127. See
<https://github.com/ngircd/ngircd/blob/master/src/ngircd/conf.c#L1487>.
I didn't look through the history to see when the change happened. I
just happened to find during a migration that my 140 character MOTD
didn't work.
Update sample configuration file as well as the man page.
|
|
This option configures the maximum penalty time increase in seconds, per
penalty event. Set to -1 for no limit (the default), 0 to disable
penalties altogether. ngIRCd doesn't use penalty increases higher than 2
seconds during normal operation, so values higher than 1 rarely make
sense.
Disabling (or reducing) penalties can greatly speed up "make check" runs
for example, see below, but are mostly a debugging feature and normally
not meant to be used on production systems!
Some example timings running "make check" from my macOS workstation:
- MaxPenaltyTime not set: 4:41,79s
- "MaxPenaltyTime = 1": 3:14,71s
- "MaxPenaltyTime = 0": 25,46s
Closes #249.
|
|
This setting allows to run multiple ngIRCd instances with
PAM configurations on each instance.
If one sets it to "ngircd-foo", PAM will use `/etc/pam.d/ngircd-foo`
instead of the default `/etc/pam.d/ngircd`.
|
|
The old name is still supported for compatibility reasons.
|
|
AUTH is a valid nickname so sending notices to it is probably not
a good idea. Use * as the target instead as done with numerics
when the nick is not available.
This mimics the behaviour in Charybdis, IRCD-Hybrid, InspIRCd 2.2,
Plexus 4, etc.
|
|
Idea, initial patch, and testing by Christoph Biedl
<ngircd.anoy@manchmal.in-ulm.de>
|
|
Let IRC_MODE() detect that the "fake" MODE command originated on the local
sever, which enables all modes to be settable using "DefaultUserModes"
that can be set by regular MODE commands, including modes only settable by
IRC Operators.
|
|
The new configuration variable "Network" is used to set the (completely
optional) "network name", to which this instance of the daemon belongs.
When set, this name is used in the ISUPPORT(005) numeric which is sent to
all clients connecting to the server after logging in.
Closes bug #165.
|
|
Switch cipher defaults to HIGH:!aNULL:@STRENGTH (OpenSSL) or
SECURE128 (GnuTLS).
|
|
This patch implements the missing functionality for cipher list selection
using GnuTLS (our OpenSSL code has this already).
|
|
This patch introduces the possibility to arbitrarily select ciphers which
should be promoted resp. declined when establishing a SSL connection
with a client by implementing the new configuration option "CipherList".
By default, OpenSSL would accept low and medium strength and RC-4 ciphers,
which nowadays are known to be broken.
This patch only implements the feature for OpenSSL. A GnuTLS counterpart
has to be implemented in another patch ...
Original patch by Bastian <bastian-ngircd@t6l.de>.
Closes bug #162.
|
|
The new configuration option "DefaultUserModes" lists user modes that
become automatically set on new local clients right after login.
Please note that only modes can be set that the client could set on
itself, you can't set "a" (away) or "o" (IRC Op), for example! User
modes "i" (invisible) or "x" (cloaked) etc. are "interesting", though.
Default: set no modes (like without this patch).
Closes bug #160.
|
|
The new configuration variable "AllowedChannelTypes" lists all allowed
channel types (channel prefixes) for newly created channels on the local
server. By default, all supported channel types are allowed.
If set to the empty string, local clients can't create new channels at
all, which equals the old "PredefChannelsOnly = yes" setting.
This patch deprecates the "PredefChannelsOnly" variable, too, but it is
still supported and translated to the apropriate "AllowedChannelTypes"
setting. When "PredefChannelsOnly" is processed, a warning message is
logged.
Closes bug #152.
|
|
The option "IncludeDir" in the [Options] section can be used
to specify a directory which can contain further configuration
files and configuration file snippets matching the pattern
"*.conf" that should be read in after the main configuration
file ("ngircd.conf" by default) has been parsed.
Closes bug #157.
|
|
This patch implements a new configuration option "IdleTimeout" in the
[Limits] section of the configuration file which can be used to set a
timeout (in seconds) after which the whole daemon will shutdown when no
more connections are left active after handling at least one client.
The default is 0, "never".
This can be useful for testing or when ngIRCd is started using "socket
activation" with systemd(8), for example.
|
|
|
|
|
|
|
|
|
|
If disabled, IRC operators don't become channel operators in persistent
channels when joining. Enabled by default, which has been the behavior
of ngIRCd up to this patch.
Closes bug #135.
(Cosmetic fixes by Alex.)
|
|
The "ServiceMask" variable in "Server" blocks now can handle more than
one mask using the new MatchCaseInsensitiveList() function.
This makes marking "service clients" much more specific, which is a
good thing per se, but which is the prerequisite for reasonably
blocking these nick names, too (see commit a6dd2e3 for details).
|
|
Implemented support for hashed hostnames for CloakHost. The admin can
use '%x' in both the CloakHost and CloakHostModeX setting. The config
option CloakHostModeX was renamed to CloakHostSalt. This salt is used
for both cloaking options.
|
|
CloakHostModeX can now contain '%x'. It will be replace by the hash of
the original client hostname. The new config option CloakHostModeXSalt
defines the salt for the hash function. When CloakHostModeXSalt is not
set a random salt will be generated after each server restart.
Spelling fix in defines.h
|
|
|
|
When "PAMIsOptional" is set, clients not sending a password are still
allowed to connect: they won't become "identified" and keep the "~"
character prepended to their supplied user name.
|
|
The default of "PAM" is "yes" when ngIRCd has been configured to use it,
so show the correct default value in the sample configuration file.
Closes #119.
|
|
|
|
* MorePrivacy:
New configuration opion "MorePrivacy" to "censor" some user information
|
|
|
|
* ScrubCTCP:
Add documentation for "ScrubCTCP" configuration option
New option to scrub incoming CTCP commands
|
|
|
|
|
|
|
|
this patch contains:
* Fix for Conf_CloakUserToNick to make it conceal user details
* Adds MorePrivacy-feature
MorePrivacy censors some user information from being reported by the
server. Signon time and idle time is censored. Part and quit messages
are made to look the same. WHOWAS requests are silently dropped. All
of this is useful if one wish to conceal users that access the ngircd
servers from TOR or I2P.
|
|
|
|
* AuthPing:
Add documentation for "RequireAuthPing" configuration option
New configuration option "RequireAuthPing": PING-PONG on login
|
|
|
|
|
|
The percent sign is reserved for future extensions, for example to
expand some variables like %H to a hash value of the real host name ...
Idea by kaFux in #ngircd.
|