IRCnet2 - SASL

What's SASL and how it works?
Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL.

What are the advantages of authentication?

You can hide your IP address by assigning a cloaked hostname.
You can join channels which allow only authenticated users to join (+r).
You can choose to chat privately only with certified users (+R).
You will not be scanned by our drone scanner.
You can recover your nick, if someone else is using it.

If you are not registered yet, do it now.

Registration

If your account already exists.

If you need assistance.

Support

How to configure SASL account?

Configure your SASL account

Create a spoof hostname on the Hostnames page.
(Skip these steps if you do not have your own domain or you want to use the preconfigured spoof provided)
- Click the "Add hostname" button.
- Fill out the "Hostname" field with the (sub)domain you want to use for the cloak.
  (this should be a name without an existing A/AAAA record)
- Click the "Add" button. Your newly created spoofed Hostname should now be listed as "not verified".
- Click the "Edit" button for your newly created Hostname.
- Add the TXT record as given to your DNS configuration.
  (How you do this depends on where/how your domain is managed)
- You can click the "verify now" button to check if the configuration is active, but It may take a while for the update to take effect depending on the DNS server configuration (it can be 1 day or more for some configurations).
- Check the Hostnames page occasionally and it should eventually show the status as "verified".
  Do not remove the TXT record after verification as this will disable the spoofed hostname.
Create a your Credentials on Credentials page.
- Click the "Create credential" button.
- Select "PLAIN" in the "Mechanism" drop-down list.
- Select the hostname for this cloak from in the "Hostname" drop-down list.
- (Optional) Fill in the IP or CIDR subnet (up to /16 for IPv4 and /48 for IPv6) you connect to IRC from in the "IP address / subnet" field.
- Fill in the Password with your own choice of password in the "Password" field. The password is case-sensitive.
- Click the "Create" button. The IRC servers are updated once an hour so wait 1 hour for your change to take effect.
Configure your IRC client to connect to one of our IRC-Servers on port 6667.
You should now be able to connect with the cloak.
- Read the MOTD carefully after connecting.
- Remember the cloaks are personal. Do not share them with others, have them sign up for their own account instead.
- Your account may be blocked if you break the rules.

If you have any questions or need help, please join #ircnet.

How to configure SASL on IRC client?

Configure SASL for ZNC

/query *status loadmod sasl

/msg *sasl mechanism PLAIN

/msg *sasl set <username> <password>

/query *status jump

/squery saslservice status

Configure SASL for mIRC

Step-by-step instructions:

In the File menu, click Select Server.
In the Connect -> Servers section of the mIRC Options window, add a Contempt IRC server (ex. address: open.ircnet2.net - Port: 6667).
In the Login Method dropdown, select SASL (/CAP).
In the second Password box at the bottom of the window, enter your username, then a colon, then your Credential password (ex. loginID:password)
Click the OK button

Configure SASL for Irssi

/network add -sasl_username <login> -sasl_password <password> -sasl_mechanism PLAIN ircnet2

/server add -net ircnet2 open.ircnet2.net 6667

Configure SASL for WeeChat

It is possible to connect via SASL in two ways.

PLAIN Mechanism:

/server add ircnet2 open.ircnet2.net/6667 -notls

/set irc.server.ircnet2.sasl_mechanism plain

/set irc.server.ircnet2.sasl_username <nickname>

/set irc.server.ircnet2.sasl_password <password>

/save

/connect ircnet2

ECDSA-NIST256P-CHALLENGE Mechanism:

In your Linux shell:

Generate a key:
openssl ecparam -genkey -name prime256v1 -out ~/.weechat/ecdsa.pem
Get public key as base64:
openssl ec -noout -text -conv_form compressed -in ~/.weechat/ecdsa.pem | grep '^pub:' -A 3 | tail -n 3 | tr -d ' \n:' | xxd -r -p | base64
(You wil get key e.g. AoxWi1Phgumvf+hFRE91Q60tlcy8oa+IswYoEBjXoEar - SAVE IT!)
Go to https://accounts.ircnet2.com
• Create a credential
• Login ID: leave it the same
• Choose mechanism: ECDSA-NIST256P-CHALLENGE
• Public key: paste the key received in the second step

In WeeChat:

/server add ircnet2 open.ircnet2.com/6667

/set irc.server.ircnet2.sasl_mechanism ecdsa-nist256p-challenge

/set irc.server.ircnet2.sasl_username <login-id>

/set irc.server.ircnet2.sasl_key "%h/ecdsa.pem"

/connect ircnet2

This method is much safer, we recommend it!

Configure SASL for AdiIRC

SASL support is Built into the new Serverlist and into the /server command as of 1.9.9.

To enable SASL in the Serverlist:

Set the Login Method to "SASL (username + password)".
Set the "Username" to your nickserv nick.
Set the "Password" to your nickserv password.

Configure SASL for HexChat

Step-by-step instructions:

Open the Network List (Ctrl + S)
Click Add and type Contempt, then hit enter and click on Edit.
Replace the string newserver/6667 with open.ircnet2.net/+6697
In the User name field, enter your primary nick.
Select SASL (username + password) for the Login method field.
In the Password field, enter your NickServ password.

If everything was configured correctly, you should see a SASL authentication successful message when you connect. You will already be identified to NickServ, so you don’t need to do this again.

Connected! Now...

You can hide your IP address by assigning a cloaked hostname.

You can join channels which allow only authenticated users to join (+r).

You can make your channel more secure by allowing access only to SASL authenticated users.

How to add restriction:
/mode #channel +r

How to remove restriction:
/mode #channel -r

You can choose to chat privately only with certified users (+R).

How to add restriction in query:
/mode <your-nick> +R

How to remove restriction in query:
/mode <your-nick> -R

You can recover your nick, if someone else is using it.

If someone else is using your nick on IRC, you can recover it by using the following command twice:

/SQUERY SASLService GETNICK <nick>

Nicks can only be approved by administrators.