[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: iauth questions

To: ircd-users@xxxxxxxxxxx
Subject: Re: iauth questions
From: Aleksi Suhonen <Aleksi.Suhonen@xxxxxx>
Date: Wed, 28 Oct 1998 08:30:44 +0200
In-reply-to: <19981027095732.C2313@stealth.net>
References: <199810270437.GAA29795@troi.sci.fi>; from Aleksi Suhonen on Tue, Oct 27, 1998 at 06:37:20AM +0200 <199810270437.GAA29795@troi.sci.fi>

Quote From: Christophe Kalt
Message ID: 19981027095732.C2313@xxxxxxxxxxx

} On Oct 27, Aleksi Suhonen wrote:
} | Do iauth and ircd use separate resolvers or do they
} | use the same one? I.e. will there be multiple identical
} | DNS queries per connection? Solaris' nscd wouldn't help?

} no DNS traffic is generated by iauth, all information is
} provided by ircd.

} | I would also like to be able to define "not"s.

} It is especially difficult if the "not"s use hostnames (as
} opposed to IPs) because the hostname information (passed by
} ircd) isn't available immediately, and may never be
} available without iauth ever knowing so until it's too late.

} what do you think?

Hmm ... the more I think about this, the more I think
all DNS traffic should be moved to iauth, along with
the whole I/K/etc:line system ... I'm not at all sure though
if this would be good.

The rest of this message should be read bottom up, so I
suggest you just read it twice from top to bottom.

Currently you have modules for different "authentication
methods." My proposition would be to have modules for
different matching methods as well.

I could immediately think of the following match methods:

ip      - As is. Simple, but inefficient, text based match.
ip_r    - Same as ip, but regexp instead of match.
ipmask  - 198.74.0.0/19. Numerical and more efficient.
host    - As is. Simple text match.
host_r  - Same as host, but regexp instead of match.
cache   - This module would keep an internal cache of recent
          "calls" to itself. It would save the timestamp of
          each call and if it detects that a host has tried
          to repeatedly connect to the server in rapid enough,
          succession, it would match. (CLONE_CHECK)
          It could also record what the outcome of other
          modules' actions were on the call, so it can
          match on incoming connections based on that
          information as well. (*)
          Normally this module doesn't match.
reverse - Check that the forward and reverse DNS mappings match.
          Solaris' resolver automatically does this for example.
          Used against simple DNS spoofs.
ping    - Check that host answers to icmp ping.
          Used against simple spoofs. Fails though against
          hosts behind certain firewalls which hinders
          this modules usefulness. (*)
route   - Check if there is a valid route back to this host.
          Useful against spoofs if the ircd host has a full
          routing table and no default route. (*)
ident   - As is. Simple text based match.
ident_r - Same as ident, but regexp instead of match.
socks   - As is. Port check.
limit_h - Check if there are other connections from this host. (*)
limit_u - Check if there are other connections from this u@h. (*)
permit  - Accept. If reached, the client is considered
          to be fully authenticated and ready to go on air.
          This module should apply Y:line type information
          to the client connection. (ping frequency etc)
deny    - Reject. If reached, the client is considered
          to be fully authenticated and totally undesirable
          to be let loose on the network, at least via this
          server. Configuration parameters would include the
          reason. (Replaces the reason on B/K/R/etc lines
          and some other hard coded reasons as well. Now you
          can easily localize your message for not having
          an I:line. "Vous ne pouvez pas utiliser ceci serveur.")
set     - Never match. Used to modify client parameters.
          (potentially very dangerous)
sleep   - Never match. Delay authentication process deliberately.

(*) this functionality may be tricky to implement.

I was actually immediately able to think of a lot of other
match methods as well, but these were the core example methods and
I trust someone else to later suggest the other methods if
this scheme is to be ever approved.

Here is some pseudo code that would implement the match process
core that I am thinking of:

typedef enum {MATCH, NO_MATCH, ACCEPT, REJECT} MatchResult;
typedef struct MatchTreeNode aMatchTreeNode;
typedef MatchResult (*MatchFunction)(anAuthData *cl, aMatchTreeNode *nd);

struct MatchTreeNode {
	MatchFunction DoMatch;
	struct MatchTreeNode *MatchSuccessor, *NoMatchSuccessor;
	void *MatchTreeNodeConfiguration;
};

MatchTreeNode MatchRoot;

/* returns 1 if client OK, 0 if client not OK */
int AuthenticateClient(anAuthData *cl) {
	MatchTreeNode *next = &MatchRoot;

	while (1) select (next->DoMatch(cl, next)) {
		case MATCH:
			next = next->MatchSuccessor;
			break;
		case NO_MATCH:
			next = next->NoMatchSuccessor;
			break;
		case ACCEPT:
			return 1;
		case REJECT:
			return 0;
	}
}

This code was originally reentrant and concurrent, but I removed
those features to improve readability.

Here is an example case and the tree it would produce:

There is a host (unix_client_server.isp.gz, 10.20.30.40) that
often easily produces one new valid client connection per second
at times. We trust it and its identd.
Then there are other unix hosts (*.isp.gz) whose identd we trust.
There are dial-up lines (dial*.isp.gz) whose identd we don't trust.
Our network (10.0.0.0/8) contains other domains too, but we don't
want to manually configure them all. Check socks and ident, but
don't trust ident.
We are an open server for our TLD (*.gz). Do checks, don't trust
anyone.
We don't like root@ anywhere, nor lamer@xxxxxxxxxxxx

ipmask 10.20.30.40/32
  ident "root"
    deny "You may not IRC as root"
  limit_u 2
    deny "Too many user connections from you, punk"
  set "hostname=unix_client_server.isp.gz" /* no need to resolve */
  permit
cache
  sleep 60 /* delay stupid clients that don't sleep between reconnects */
  deny "Cached client rejection"
host "*.isp.gz"
  reverse
    deny "Please don't spoof DNS"
  host "dial*"
    limit_h 2
      deny "Too many host connections from you, daft"
    permit
  ident "root"
    deny "You may not IRC as root"
  limit_u 2
    deny "Too many user connections from you, mister"
  permit
ipmask 10.0.0.0/8
  limit_h 2
    deny "Too many host connections from you, brother"
  host "*" /* just to resolve the name */
    ident "*" /* doesn't matter what we get */
      socks
        deny "Your host has a malconfigured socks proxy"
      permit
host "*.gz"
  limit_h 2
    deny "Too many host connections from you, ma'am"
  reverse
    deny "Your hostname is misconfigured in DNS"
  socks
    deny "Your host has a wide open socks proxy"
  route
    deny "Bits don't flow back to you, spoofer"
  ident "*" /* just do the query */
    host "obfu.edu.gz"
      ident "lamer" /* cached from previous ident-clause */
        deny "Repeated abuse from lamer@xxxxxxxxxxx"
      permit
    permit
deny "This server doesn't serve any users outside gzipland"


Now, this sort of a configuration is very tedious to create
by hand, but on the other hand it is possible to compile
the current configuration format for example internally
into this form. It won't have as much expressiveness of
course.

Whew, this is already a very long message, so I'm not going
to write the other things I had in mind into this one. I'll
let you chew on this for a while instead.

--
	Aleksi Suhonen

Follow-Ups:
- Re: iauth questions
  - From: Christophe Kalt

References:
- iauth questions
  - From: Aleksi Suhonen
- Re: iauth questions
  - From: Christophe Kalt

Prev by Date: Re: 2 Questions for the server guru's <G>
Next by Date: Re: iauth questions
Previous by thread: Re: iauth questions
Next by thread: Re: iauth questions
Index(es):
- Date
- Thread