| rev |
line source |
|
jilles@7
|
1 SASL authentication
|
|
jilles@7
|
2 -------------------
|
|
jilles@7
|
3
|
|
jilles@7
|
4 This document describes the client protocol for SASL authentication, as
|
|
jilles@7
|
5 implemented in charybdis and atheme.
|
|
jilles@7
|
6
|
|
jilles@7
|
7 SASL authentication relies on the CAP client capability framework [1].
|
|
jilles@7
|
8 Support for SASL authentication is indicated with the "sasl" capability.
|
|
jilles@7
|
9 The client MUST enable the sasl capability before using the AUTHENTICATE
|
|
jilles@7
|
10 command defined by this specification.
|
|
jilles@7
|
11
|
|
jilles@7
|
12 The AUTHENTICATE command
|
|
jilles@7
|
13
|
|
jilles@7
|
14 The AUTHENTICATE command MUST be used before registration is complete and
|
|
jilles@7
|
15 with the sasl capability enabled. To enforce the former, it is RECOMMENDED
|
|
jilles@7
|
16 to only send CAP END when the SASL exchange is completed or needs to be
|
|
jilles@7
|
17 aborted. Clients SHOULD be prepared for timeouts at all times during the SASL
|
|
jilles@7
|
18 authentication.
|
|
jilles@7
|
19
|
|
jilles@7
|
20 There are two forms of the AUTHENTICATE command: initial client message and
|
|
jilles@7
|
21 later messages.
|
|
jilles@7
|
22
|
|
jilles@7
|
23 The initial client message specifies the SASL mechanism to be used. (When this
|
|
jilles@7
|
24 is received, the IRCD will attempt to establish an association with a SASL
|
|
jilles@7
|
25 agent.) If this fails, a 904 numeric will be sent and the session state remains
|
|
jilles@7
|
26 unchanged; the client MAY try another mechanism. Otherwise, the server sends
|
|
jilles@7
|
27 a set of regular AUTHENTICATE messages with the initial server response.
|
|
jilles@7
|
28
|
|
jilles@7
|
29 initial-authenticate = "AUTHENTICATE" SP mechanism CRLF
|
|
jilles@7
|
30
|
|
jilles@7
|
31 A set of regular AUTHENTICATE messages transmits a response from client to
|
|
jilles@7
|
32 server or vice versa. The server MAY intersperse other IRC protocol messages
|
|
jilles@7
|
33 between the AUTHENTICATE messages of a set. The "+" form is used for an empty
|
|
jilles@7
|
34 response. The server MAY place a limit on the total length of a response.
|
|
jilles@7
|
35
|
|
jilles@7
|
36 regular-authenticate-set = *("AUTHENTICATE" SP 400BASE64 CRLF)
|
|
jilles@7
|
37 "AUTHENTICATE" SP (1*399BASE64 / "+") CRLF
|
|
jilles@7
|
38
|
|
jilles@7
|
39 The client can abort an authentication by sending an asterisk as the data.
|
|
jilles@7
|
40 The server will send a 904 numeric.
|
|
jilles@7
|
41
|
|
jilles@7
|
42 authenticate-abort = "AUTHENTICATE" SP "*" CRLF
|
|
jilles@7
|
43
|
|
jilles@7
|
44 If authentication fails, a 904 or 905 numeric will be sent and the
|
|
jilles@7
|
45 client MAY retry from the AUTHENTICATE <mechanism> command.
|
|
jilles@7
|
46 If authentication is successful, a 900 and 903 numeric will be sent.
|
|
jilles@7
|
47
|
|
jilles@7
|
48 If the client attempts to issue the AUTHENTICATE command after already
|
|
jilles@7
|
49 authenticating successfully, the server MUST reject it with a 907 numeric.
|
|
jilles@7
|
50
|
|
jilles@7
|
51 If the client completes registration (with CAP END, NICK, USER and any other
|
|
jilles@7
|
52 necessary messages) while the SASL authentication is still in progress, the
|
|
jilles@7
|
53 server SHOULD abort it and send a 906 numeric, then register the client
|
|
jilles@7
|
54 without authentication.
|
|
jilles@7
|
55
|
|
jilles@7
|
56 This document does not specify use of the AUTHENTICATE command in
|
|
jilles@7
|
57 registered (person) state.
|
|
jilles@7
|
58
|
|
jilles@7
|
59 Example protocol exchange
|
|
jilles@7
|
60
|
|
jilles@7
|
61 C: indicates lines sent by the client, S: indicates lines sent by the server.
|
|
jilles@7
|
62
|
|
jilles@7
|
63 The client is using the PLAIN SASL mechanism with authentication identity
|
|
jilles@7
|
64 jilles, authorization identity jilles and password sesame.
|
|
jilles@7
|
65
|
|
jilles@7
|
66 C: CAP REQ :sasl
|
|
jilles@7
|
67 C: NICK jilles
|
|
jilles@7
|
68 C: USER jilles cheetah.stack.nl 1 :Jilles Tjoelker
|
|
jilles@7
|
69 S: NOTICE AUTH :*** Processing connection to jaguar.test
|
|
jilles@7
|
70 S: NOTICE AUTH :*** Looking up your hostname...
|
|
jilles@7
|
71 S: NOTICE AUTH :*** Checking Ident
|
|
jilles@7
|
72 S: NOTICE AUTH :*** No Ident response
|
|
jilles@7
|
73 S: NOTICE AUTH :*** Found your hostname
|
|
jilles@7
|
74 S: :jaguar.test CAP jilles ACK :sasl
|
|
jilles@7
|
75 C: AUTHENTICATE PLAIN
|
|
jilles@7
|
76 S: AUTHENTICATE +
|
|
jilles@7
|
77 C: AUTHENTICATE amlsbGVzAGppbGxlcwBzZXNhbWU=
|
|
jilles@7
|
78 S: :jaguar.test 900 jilles jilles!jilles@localhost.stack.nl jilles :You are now logged in as jilles.
|
|
jilles@7
|
79 S: :jaguar.test 903 jilles :SASL authentication successful
|
|
jilles@7
|
80 C: CAP END
|
|
jilles@7
|
81 S: :jaguar.test 001 jilles :Welcome to the jillestest Internet Relay Chat Network jilles
|
|
jilles@7
|
82 <usual welcome messages>
|
|
jilles@7
|
83
|
|
jilles@7
|
84 Note that the CAP command sent by a server includes the user's nick or *,
|
|
jilles@7
|
85 differently from what [1] specifies.
|
|
jilles@7
|
86
|
|
jilles@7
|
87 Alternatively the client could request the list of capabilities and enable
|
|
jilles@7
|
88 an additional capability.
|
|
jilles@7
|
89
|
|
jilles@7
|
90 C: CAP LS
|
|
jilles@7
|
91 C: NICK jilles
|
|
jilles@7
|
92 C: USER jilles cheetah.stack.nl 1 :Jilles Tjoelker
|
|
jilles@7
|
93 S: NOTICE AUTH :*** Processing connection to jaguar.test
|
|
jilles@7
|
94 S: NOTICE AUTH :*** Looking up your hostname...
|
|
jilles@7
|
95 S: NOTICE AUTH :*** Checking Ident
|
|
jilles@7
|
96 S: NOTICE AUTH :*** No Ident response
|
|
jilles@7
|
97 S: NOTICE AUTH :*** Found your hostname
|
|
jilles@7
|
98 S: :jaguar.test CAP * LS :multi-prefix sasl
|
|
jilles@7
|
99 C: CAP REQ :multi-prefix sasl
|
|
jilles@7
|
100 S: :jaguar.test CAP jilles ACK :multi-prefix sasl
|
|
jilles@7
|
101 C: AUTHENTICATE PLAIN
|
|
jilles@7
|
102 S: AUTHENTICATE +
|
|
jilles@7
|
103 C: AUTHENTICATE amlsbGVzAGppbGxlcwBzZXNhbWU=
|
|
jilles@7
|
104 S: :jaguar.test 900 jilles jilles!jilles@localhost.stack.nl jilles :You are now logged in as jilles.
|
|
jilles@7
|
105 S: :jaguar.test 903 jilles :SASL authentication successful
|
|
jilles@7
|
106 C: CAP END
|
|
jilles@7
|
107 S: :jaguar.test 001 jilles :Welcome to the jillestest Internet Relay Chat Network jilles
|
|
jilles@7
|
108 <usual welcome messages>
|
|
jilles@7
|
109
|
|
jilles@7
|
110 [1] K. Mitchell, P. Lorier (Undernet IRC Network), L. Hardy (ircd-ratbox), P.
|
|
jilles@7
|
111 Kucharski (IRCnet), IRC Client Capabilities Extension. March 2005.
|
|
jilles@7
|
112 This internet-draft has expired; it can still be found on
|
|
jilles@7
|
113 http://www.leeh.co.uk/draft-mitchell-irc-capabilities-02.html
|
|
jilles@7
|
114
|
|
jilles@7
|
115 See also http://sasl.charybdis.be/ and
|
|
jilles@7
|
116 http://wiki.atheme.net/index.php/PR:SASL_Authentication (these links are
|
|
jilles@7
|
117 currently dead but may be resurrected in the future).
|
|
jilles@7
|
118
|
|
jilles@7
|
119 $Id: sasl.txt 3169 2007-01-28 22:13:18Z jilles $
|
