muhstik- irc flooding solution |
git clone git://git.acid.vegas/muhstik.git |
Log | Files | Refs | Archive | README |
SASL.txt (4983B)
1 SASL authentication 2 ------------------- 3 4 This document describes the client protocol for SASL authentication, as 5 implemented in charybdis and atheme. 6 7 SASL authentication relies on the CAP client capability framework [1]. 8 Support for SASL authentication is indicated with the "sasl" capability. 9 The client MUST enable the sasl capability before using the AUTHENTICATE 10 command defined by this specification. 11 12 The AUTHENTICATE command 13 14 The AUTHENTICATE command MUST be used before registration is complete and 15 with the sasl capability enabled. To enforce the former, it is RECOMMENDED 16 to only send CAP END when the SASL exchange is completed or needs to be 17 aborted. Clients SHOULD be prepared for timeouts at all times during the SASL 18 authentication. 19 20 There are two forms of the AUTHENTICATE command: initial client message and 21 later messages. 22 23 The initial client message specifies the SASL mechanism to be used. (When this 24 is received, the IRCD will attempt to establish an association with a SASL 25 agent.) If this fails, a 904 numeric will be sent and the session state remains 26 unchanged; the client MAY try another mechanism. Otherwise, the server sends 27 a set of regular AUTHENTICATE messages with the initial server response. 28 29 initial-authenticate = "AUTHENTICATE" SP mechanism CRLF 30 31 A set of regular AUTHENTICATE messages transmits a response from client to 32 server or vice versa. The server MAY intersperse other IRC protocol messages 33 between the AUTHENTICATE messages of a set. The "+" form is used for an empty 34 response. The server MAY place a limit on the total length of a response. 35 36 regular-authenticate-set = *("AUTHENTICATE" SP 400BASE64 CRLF) 37 "AUTHENTICATE" SP (1*399BASE64 / "+") CRLF 38 39 The client can abort an authentication by sending an asterisk as the data. 40 The server will send a 904 numeric. 41 42 authenticate-abort = "AUTHENTICATE" SP "*" CRLF 43 44 If authentication fails, a 904 or 905 numeric will be sent and the 45 client MAY retry from the AUTHENTICATE <mechanism> command. 46 If authentication is successful, a 900 and 903 numeric will be sent. 47 48 If the client attempts to issue the AUTHENTICATE command after already 49 authenticating successfully, the server MUST reject it with a 907 numeric. 50 51 If the client completes registration (with CAP END, NICK, USER and any other 52 necessary messages) while the SASL authentication is still in progress, the 53 server SHOULD abort it and send a 906 numeric, then register the client 54 without authentication. 55 56 This document does not specify use of the AUTHENTICATE command in 57 registered (person) state. 58 59 Example protocol exchange 60 61 C: indicates lines sent by the client, S: indicates lines sent by the server. 62 63 The client is using the PLAIN SASL mechanism with authentication identity 64 jilles, authorization identity jilles and password sesame. 65 66 C: CAP REQ :sasl 67 C: NICK jilles 68 C: USER jilles cheetah.stack.nl 1 :Jilles Tjoelker 69 S: NOTICE AUTH :*** Processing connection to jaguar.test 70 S: NOTICE AUTH :*** Looking up your hostname... 71 S: NOTICE AUTH :*** Checking Ident 72 S: NOTICE AUTH :*** No Ident response 73 S: NOTICE AUTH :*** Found your hostname 74 S: :jaguar.test CAP jilles ACK :sasl 75 C: AUTHENTICATE PLAIN 76 S: AUTHENTICATE + 77 C: AUTHENTICATE amlsbGVzAGppbGxlcwBzZXNhbWU= 78 S: :jaguar.test 900 jilles jilles!jilles@localhost.stack.nl jilles :You are now logged in as jilles. 79 S: :jaguar.test 903 jilles :SASL authentication successful 80 C: CAP END 81 S: :jaguar.test 001 jilles :Welcome to the jillestest Internet Relay Chat Network jilles 82 <usual welcome messages> 83 84 Note that the CAP command sent by a server includes the user's nick or *, 85 differently from what [1] specifies. 86 87 Alternatively the client could request the list of capabilities and enable 88 an additional capability. 89 90 C: CAP LS 91 C: NICK jilles 92 C: USER jilles cheetah.stack.nl 1 :Jilles Tjoelker 93 S: NOTICE AUTH :*** Processing connection to jaguar.test 94 S: NOTICE AUTH :*** Looking up your hostname... 95 S: NOTICE AUTH :*** Checking Ident 96 S: NOTICE AUTH :*** No Ident response 97 S: NOTICE AUTH :*** Found your hostname 98 S: :jaguar.test CAP * LS :multi-prefix sasl 99 C: CAP REQ :multi-prefix sasl 100 S: :jaguar.test CAP jilles ACK :multi-prefix sasl 101 C: AUTHENTICATE PLAIN 102 S: AUTHENTICATE + 103 C: AUTHENTICATE amlsbGVzAGppbGxlcwBzZXNhbWU= 104 S: :jaguar.test 900 jilles jilles!jilles@localhost.stack.nl jilles :You are now logged in as jilles. 105 S: :jaguar.test 903 jilles :SASL authentication successful 106 C: CAP END 107 S: :jaguar.test 001 jilles :Welcome to the jillestest Internet Relay Chat Network jilles 108 <usual welcome messages> 109 110 [1] K. Mitchell, P. Lorier (Undernet IRC Network), L. Hardy (ircd-ratbox), P. 111 Kucharski (IRCnet), IRC Client Capabilities Extension. March 2005. 112 This internet-draft has expired; it can still be found on 113 http://www.leeh.co.uk/draft-mitchell-irc-capabilities-02.html 114 115 See also http://sasl.charybdis.be/ and 116 http://wiki.atheme.net/index.php/PR:SASL_Authentication (these links are 117 currently dead but may be resurrected in the future). 118 119 $Id: sasl.txt 3169 2007-01-28 22:13:18Z jilles $