View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0003219 | unreal | ircd | public | 2007-01-28 09:31 | 2015-07-19 19:59 |
| Reporter | djGrrr | Assigned To | syzop | ||
| Priority | normal | Severity | tweak | Reproducibility | always |
| Status | closed | Resolution | no change required | ||
| Product Version | 3.2.6 | ||||
| Summary | 0003219: OPER command should check against real ident also | ||||
| Description | I think that when u /oper up, that it should also check your real ident stored in sptr->username. To be honest, i don't really even see the point in checking it against sptr->user->username I'll attach 2 patches in a few minutes: The first will just add 2 more checks for realident@realhost and realident@ip The second will replace the 2 checks to use the real ident rather than virtual ident That way syzop or someone else can decide which one is best to use :) | ||||
| Attached Files | oper_add_realident_check.patch (1,542 bytes) oper_replace_realident_check.patch (1,002 bytes) | ||||
| 3rd party modules | |||||
|
|
The problem is sptr->username isn't filled in from the USER command. If the user doesn't reply to identd (or it is never checked), sptr->username is never set (at least as near as I can tell). sptr->user->username will contain that info (and yes, is ok to check since we assume only directly connected users are trying this). So if anything, the "replace" option is definately not suitable. |
|
|
i don't understand... sptr->username is set to "unknown" when no ident, and what would be the purpose of checking sptr->user->username ? there is absolutely no point in checking against what USER supplies, since that can be changed so easily... Idents however cannot.. which means anyone checking against the user supplied one is 99% chance using *@host; which would not be affected in any way shape or form, and since it doesn't check sptr->username, its lame, then if u have a virtual ident set from services u can't re-oper because your ident is changed... tbh, i think the replace is the best option. this way you can have a real ident, but when u identify or use /vhost, it will change the virtual ident so normal users won't even be able to see what the real ident is, so even if they are on the same isp as you, they would still need to know your real ident which would be impossible to find out via /whois, currently in order to use a virtual ident, you need to add another userhost with the virtual ident, else, you won't be able to do /mode -o $me then oper up again, as it will say no o:lines for your host i think this would prove to be quite effective for securing o:lines |
|
|
[quote]sptr->username is set to "unknown" when no ident[/quote] And will stay that way if identd isn't even checked in the first place. I'm on one network that disables identd checking. [quote]and what would be the purpose of checking sptr->user->username ? there is absolutely no point in checking against what USER supplies, since that can be changed so easily[/quote] 1) As said, some networks disable identd checks, leaving *ONLY* sptr->user->username to check. 2) identd can be changed about as easily as the USER reply anymore (irc clients with builtin identd servers, for example) 3) I do agree that real identd should be checked for the whole services-changing-your-username deal. An alternative option is the server admins put both your real and virtual username in your oper block. We can't really just assume that everyone that disables identd or gives oper blocks to non-identd users just uses *@blah for hostmasks. This might be true for 99% as you say, but what about that 1%? They'd now be pissed off that their hostmasks don't work anymore. Putting the username in puts in an extra roadblock for an operblock cracker to have to figure out. (But of course, always remember good password/SSL cert >>>>>> good hostmasks.) |
|
|
This is why i made 2 patches, the first checks both, but not checking the real ident is not good, and adding 2 hosts to get around the virtual ident issue completely defeats the purpose |
|
|
general comment regarding real ident checking: be careful with these things, we would not want to do so in TKL like making 4 checks (user@ip, u@host, u@realhost, u@cloakedhost) to also do realident@ip, realident@host, etc... see also some discussing regarding adding checks for u@cloakedIPhost. such checks on big lists and often-checking have a big cpu impact (bans, tkls). vhost or oper is fine though....... i guess...... (hav not checked) |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2007-01-28 09:31 | djGrrr | New Issue | |
| 2007-01-28 09:35 | djGrrr | File Added: oper_add_realident_check.patch | |
| 2007-01-28 09:36 | djGrrr | File Added: oper_replace_realident_check.patch | |
| 2007-01-28 14:14 | aquanight | Note Added: 0013149 | |
| 2007-01-28 14:24 | djGrrr | Note Added: 0013151 | |
| 2007-01-28 14:26 | djGrrr | Note Edited: 0013151 | |
| 2007-01-28 14:28 | djGrrr | Note Edited: 0013151 | |
| 2007-01-28 14:40 | aquanight | Note Added: 0013152 | |
| 2007-01-28 14:46 | djGrrr | Note Added: 0013153 | |
| 2007-04-19 03:42 |
|
Status | new => acknowledged |
| 2007-04-19 18:53 |
|
Status | acknowledged => confirmed |
| 2007-04-26 05:53 | syzop | Note Added: 0013723 | |
| 2015-07-19 19:59 | syzop | Status | confirmed => closed |
| 2015-07-19 19:59 | syzop | Assigned To | => syzop |
| 2015-07-19 19:59 | syzop | Resolution | open => no change required |
