kiwiirc / webircgateway

⛩ Websocket gateway to IRC networks
Apache License 2.0
92 stars 35 forks source link

SASL auth required (Libera.chat) #107

Open ghost opened 12 months ago

ghost commented 12 months ago

Documentation for SASL authentication is needed to understand how to connect on libera.chat servers using TLS 1.3 (aka forward secrecy). In contrast webirc connections to irc.freenode.net in tcp4 mode works as expected using kiwiirc transport (tls=false).

However inbound connections to libera.chat servers result in the following error message:

Closing Link: open-neurosecurity.org (SASL authentication to a NickServ account with a verified email address is required to connect from your current network. Please see https://libera.chat/guides/sasl for configuration assistance.

$ sudo systemctl status webircgateway

webircgateway
     Loaded: loaded (/lib/systemd/system/webircgateway.service; enabled; preset: enabled)
     Active: active (running) since Sun 2023-11-05 04:23:31 EST; 20min ago
   Main PID: 1141544 (webircgateway)
      Tasks: 7 (limit: 4652)
     Memory: 2.2M
        CPU: 37ms
     CGroup: /system.slice/webircgateway.service
             └─1141544 /usr/local/sbin/webircgateway --config=/etc/webircgateway/config.conf

Nov 05 04:23:42 open-neurosecurity.org webircgateway[1141544]: 2023/11/05 04:23:42.479564 L_DEBUG client:2 signal:data :molybdenum.libera.chat NOTICE guest11 :*** Notice -- SASL authentication to a NickServ account with a verified email address is required to connect from your current network. Please see https://libera.chat/guides/sasl for configuration assistance.
Nov 05 04:23:42 open-neurosecurity.org webircgateway[1141544]: 2023/11/05 04:23:42.479716 L_DEBUG client:2 in .UpstreamRecv
Nov 05 04:23:42 open-neurosecurity.org webircgateway[1141544]: 2023/11/05 04:23:42.479722 L_DEBUG client:2 Traffic (Upstream->) ERROR :Closing Link: open-neurosecurity.org (SASL authentication to a NickServ account with a verified email address is required to connect from your current network.
ItsOnlyBinary commented 12 months ago

Kiwi does not support client certificate based auth, it does support SASL PLAIN though, entering password at the welcome screen should make it SASL auth on connect

ghost commented 11 months ago

I forgot to mention that the builtin identd server doesnt seem to work at all when using identd=true in the webirconfig config.

As a workaround you can install openbsd-inetd (or nullidentd) which provides a working and secure identd daemon. Anyways i would prefer webirc to not use sasl auth at all and use X-Forwarded-For header to identify users hostnames. In addition nginx can use a local DNS resolver to store valid DNS hostnames with dnsmasq.

ItsOnlyBinary commented 11 months ago

I will look into the identd thing

webircgateway does use x-forwarded-for to get the correct ip which is then passed to the ircd via WEBIRC command

SASL auth is a method in which to login to nickserv during connection it is not used to pass the correct hostname for the user

ghost commented 6 months ago

Thanks for your help @ItsOnlyBinary. Here is a log file for this ticket. Interestingly now getting error "Not allowed to connect to default" when i use my sasl username and password to connect on ws.libera.chat. Btw i use quic/http3 for ws connection with kiwiirc. I also disable identd in the config. Finally I assume the "kiwiirc.com" user-agent string in the ws console (chromium) is purely decorative.

I hope this helps,

smart

ghost commented 6 months ago

Here is a screen capture of the browser view:

Screenshot_2024-04-08_06-18-58