So you’ve opened up your IRC client and connected to a server. Now what? You do this:
If you’re having to authenticate like this every time, SASL is just what you need!
SASL stands for Simple Authentication and Security Layer, and is a framework for authentication and data security. If you’d like to read more about SASL, click here. We won’t go too in-depth with the technical details of how SASL functions here, but we will walk through the setup with Weechat.
Supported SASL Authentication Methods
- Plaintext (Secure over TLS, but still a plaintext password in your config)
- dh-blowfish (encrypted password, insecure, not recommended)
- dh-aes (encrypted password, insecure, not recommended)
- ecdsa-nist256p-challenge (challenge with public/private key. looks pretty suspicious, but better)
Also, aside from plaintext or external cert authentication (which freenode doesn’t support), none of these are standard SASL authentication methods.
So, you’re basically left with a choice between using a plaintext password, or the nist256p challenge. While none of these seem like great options, but I feel like nist256p is still a step in the right direction.
Using SASL With ECDSA-NIST256P-CHALLENGE
Now that you understand all your options are essentially shitty, let’s set up SASL!
First, we need to generate a private key using OpenSSL. We need to use the following curve: prime256v1: X9.62/SECG curve over a 256 bit prime field
This will generate a private key and save the key to ~/.weechat/prime256.pem
Now that you have your private key, we will extract the public key from it, and hand that to freenode for authentication.
Extract the base64 encoded public key with the following command:
openssl ec -noout -text -conv_form compressed -in ~/.weechat/prime256.pem | grep '^pub:' -A 3 | tail -n 3 | tr -d ' \n:' | xxd -r -p | base64
This is your public key. Assuming you are connected and authenticated on freenode currently, set your public key with
Obviously, don’t use the public key I generated for this tutorial, use yours. Now that your keys are setup, all you need to do is configure your client to use it!
Set the following:
/set irc.server.freenode.sasl_mechanism ecdsa-nist256p-challenge /set irc.server.freenode.sasl_username "your_nickname" /set irc.server.freenode.sasl_key "%h/prime256.pem"
Once you’ve done that, you’re ready to rock-n-roll, my friend.