mirror
/
oragono
mirror of https://github.com/oragono/oragono
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 67 Wiki Activity
Browse Source

fix #1634: 

1. Fix auth bypass in the default configuration with the addition of
   server.password (the REGISTER command was allowed before connection
   registration, allowing unauthenticated users to REGISTER and then
   take advantage of skip-server-password)
2. Caution operators against the use of require-sasl without disabling
   user-initiated account registration. (Such a configuration is still valid
   in the case of a public server that requires everyone to register.)
tags/v2.6.1
Shivaram Lingamneni 3 years ago
parent
7481bf0385
commit
97ba1c3d63
5 changed files with 38 additions and 13 deletions
Unified View Show Diff Stats
  1. 16
    0
      CHANGELOG.md
  2. 4
    1
      default.yaml
  3. 1
    1
      docs/MANUAL.md
  4. 13
    10
      irc/config.go
  5. 4
    1
      traditional.yaml

+ 16
- 0
CHANGELOG.md View File

1 
 # Changelog
 1 
 # Changelog
2 
 All notable changes to Oragono will be documented in this file.
 2 
 All notable changes to Oragono will be documented in this file.
3
3
4 
+## [2.6.1] - 2021-04-26
5 
+
6 
+Oragono 2.6.1 is a bugfix release, fixing a security issue that is critical for some private server configurations. We regret the oversight.
7 
+
8 
+The issue affects two classes of server configuration:
9 
+
10 
+1. Private servers that use `server.password` (i.e., the `PASS` command) for protection. If `accounts.registration.allow-before-connect` is enabled, the `REGISTER` command can be used to bypass authentication. Affected operators should set this field to `false`, or upgrade to 2.6.1, which disallows the insecure configuration. (If the field does not appear in the configuration file, the configuration is secure since the value defaults to false when unset.)
11 
+2. Private servers that use `accounts.require-sasl` for protection. If these servers do not additionally set `accounts.registration.enabled` to `false`, the `REGISTER` command can potentially be used to bypass authentication. Affected operators should set `accounts.registration.enabled` to false; this recommendation appeared in the operator manual but was not emphasized sufficiently. (Configurations that require SASL but allow open registration are potentially valid, e.g., in the case of public servers that require everyone to use a registered account; accordingly, Oragono 2.6.1 continues to permit such configurations.)
12 
+
13 
+This release includes no changes to the config file format or the database.
14 
+
15 
+Many thanks to [@ajaspers](https://github.com/ajaspers) for reporting the issue.
16 
+
17 
+### Security
18 
+* Fixed and documented potential authentication bypasses via the `REGISTER` command (#1634, thanks [@ajaspers](https://github.com/ajaspers)!)
19 
+
4 
 ## [2.6.0] - 2021-04-18
 20 
 ## [2.6.0] - 2021-04-18
5
21
6 
 We're pleased to announce Oragono 2.6.0, a new stable release.
 22 
 We're pleased to announce Oragono 2.6.0, a new stable release.

+ 4
- 1
default.yaml View File

433 
     # require-sasl controls whether clients are required to have accounts
 433 
     # require-sasl controls whether clients are required to have accounts
434 
     # (and sign into them using SASL) to connect to the server
 434 
     # (and sign into them using SASL) to connect to the server
435 
     require-sasl:
 435 
     require-sasl:
436 
-        # if this is enabled, all clients must authenticate with SASL while connecting
436 
+        # if this is enabled, all clients must authenticate with SASL while connecting.
437 
+        # WARNING: for a private server, you MUST set accounts.registration.enabled
438 
+        # to false as well, in order to prevent non-administrators from registering
439 
+        # accounts.
437 
         enabled: false
 440 
         enabled: false
438
441
439 
         # IPs/CIDRs which are exempted from the account requirement
 442 
         # IPs/CIDRs which are exempted from the account requirement

+ 1
- 1
docs/MANUAL.md View File

314
314
315 
 This mode is comparable to Slack, Mattermost, or similar products intended as internal chat servers for an organization or team. In this mode, clients cannot connect to the server unless they log in with SASL as part of the initial handshake. This allows Oragono to be deployed facing the public Internet, with fine-grained control over who can log in.
 315 
 This mode is comparable to Slack, Mattermost, or similar products intended as internal chat servers for an organization or team. In this mode, clients cannot connect to the server unless they log in with SASL as part of the initial handshake. This allows Oragono to be deployed facing the public Internet, with fine-grained control over who can log in.
316
316
317 
-In this mode, clients must have a valid account to connect, so they cannot register their own accounts. Accordingly, an operator must do the initial account creation, using the `SAREGISTER` command of NickServ. (For more details, `/msg NickServ help saregister`.) To bootstrap this process, you can make an initial connection from localhost, which is exempt (by default) from the requirement, or temporarily add your own IP to the exemption list. You can also use a more permissive configuration for bootstrapping, then switch to this one once you have your account. Another possibility is permanently exempting an internal network, e.g., `10.0.0.0/8`, that only trusted people can access.
317 
+In this mode, clients must not be allowed to register their own accounts, so user-initiated account registration must be disabled. Accordingly, an operator must do the initial account creation, using the `SAREGISTER` command of NickServ. (For more details, `/msg NickServ help saregister`.) To bootstrap this process, you can make an initial connection from localhost, which is exempt (by default) from the requirement, or temporarily add your own IP to the exemption list. You can also use a more permissive configuration for bootstrapping, then switch to this one once you have your account. Another possibility is permanently exempting an internal network, e.g., `10.0.0.0/8`, that only trusted people can access.
318
318
319 
 To enable this mode, use the configs from the "nick equals account" section (i.e., start from `default.yaml`) and make these modifications:
 319 
 To enable this mode, use the configs from the "nick equals account" section (i.e., start from `default.yaml`) and make these modifications:
320
320

+ 13
- 10
irc/config.go View File

1299
1299
1300 
 	config.Accounts.defaultUserModes = ParseDefaultUserModes(config.Accounts.DefaultUserModes)
 1300 
 	config.Accounts.defaultUserModes = ParseDefaultUserModes(config.Accounts.DefaultUserModes)
1301
1301
1302 
+	if config.Server.Password != "" {
1303 
+		config.Server.passwordBytes, err = decodeLegacyPasswordHash(config.Server.Password)
1304 
+		if err != nil {
1305 
+			return nil, err
1306 
+		}
1307 
+		if config.Accounts.LoginViaPassCommand && !config.Accounts.SkipServerPassword {
1308 
+			return nil, errors.New("Using a server password and login-via-pass-command requires skip-server-password as well")
1309 
+		}
1310 
+		// #1634: accounts.registration.allow-before-connect is an auth bypass
1311 
+		// for configurations that start from default and then enable server.password
1312 
+		config.Accounts.Registration.AllowBeforeConnect = false
1313 
+	}
1314 
+
1302 
 	config.Accounts.RequireSasl.exemptedNets, err = utils.ParseNetList(config.Accounts.RequireSasl.Exempted)
 1315 
 	config.Accounts.RequireSasl.exemptedNets, err = utils.ParseNetList(config.Accounts.RequireSasl.Exempted)
1303 
 	if err != nil {
 1316 
 	if err != nil {
1304 
 		return nil, fmt.Errorf("Could not parse require-sasl exempted nets: %v", err.Error())
 1317 
 		return nil, fmt.Errorf("Could not parse require-sasl exempted nets: %v", err.Error())
1389 
 	// parse default channel modes
 1402 
 	// parse default channel modes
1390 
 	config.Channels.defaultModes = ParseDefaultChannelModes(config.Channels.DefaultModes)
 1403 
 	config.Channels.defaultModes = ParseDefaultChannelModes(config.Channels.DefaultModes)
1391
1404
1392 
-	if config.Server.Password != "" {
1393 
-		config.Server.passwordBytes, err = decodeLegacyPasswordHash(config.Server.Password)
1394 
-		if err != nil {
1395 
-			return nil, err
1396 
-		}
1397 
-		if config.Accounts.LoginViaPassCommand && !config.Accounts.SkipServerPassword {
1398 
-			return nil, errors.New("Using a server password and login-via-pass-command requires skip-server-password as well")
1399 
-		}
1400 
-	}
1401 
-
1402 
 	if config.Accounts.Registration.BcryptCost == 0 {
 1405 
 	if config.Accounts.Registration.BcryptCost == 0 {
1403 
 		config.Accounts.Registration.BcryptCost = passwd.DefaultCost
 1406 
 		config.Accounts.Registration.BcryptCost = passwd.DefaultCost
1404 
 	}
 1407 
 	}

+ 4
- 1
traditional.yaml View File

405 
     # require-sasl controls whether clients are required to have accounts
 405 
     # require-sasl controls whether clients are required to have accounts
406 
     # (and sign into them using SASL) to connect to the server
 406 
     # (and sign into them using SASL) to connect to the server
407 
     require-sasl:
 407 
     require-sasl:
408 
-        # if this is enabled, all clients must authenticate with SASL while connecting
408 
+        # if this is enabled, all clients must authenticate with SASL while connecting.
409 
+        # WARNING: for a private server, you MUST set accounts.registration.enabled
410 
+        # to false as well, in order to prevent non-administrators from registering
411 
+        # accounts.
409 
         enabled: false
 412 
         enabled: false
410
413
411 
         # IPs/CIDRs which are exempted from the account requirement
 414 
         # IPs/CIDRs which are exempted from the account requirement

Write Preview
Loading…
Cancel
Save