# SASL on FreeBSD



## Deleted member 9563 (Dec 29, 2017)

I use both Hexchat and DXirc continually but it seems like there's no way to get these to do SASL which is required nowadays to stay logged in. It's a real nuisance to have to manually verify every time the server drops out. Is there some reason why SASL can't be implemented on FreeBSD IRC clients?

Note, it may well be me that's missing something here, but Mister Google is not very helpful with FreeBSD IRC clients. Any help with this gratefully accepted.


----------



## SirDice (Dec 29, 2017)

OJ said:


> I use both Hexchat and DXirc continually but it seems like there's no way to get these to do SASL which is required nowadays to stay logged in.


I'm wondering why you think SASL has anything to do with this. I think this has probably more to do with things like an idle time-out or connection drops.


----------



## SirDice (Dec 29, 2017)

getopt said:


> Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols.


I know what it is. None of the IRC clients I use or have used required this.


----------



## ShelLuser (Dec 29, 2017)

Verifying yourself with IRC services has always been a task for scripts, to my knowledge this hasn't changed. So basically your client recognizes certain text patterns and based on that it sends the required information. No different from authentication yourself with a nick protection service for example.


----------



## SirDice (Dec 29, 2017)

It's probably useful to know which IRC server is involved. As far as I know Undernet or EFNet for example doesn't require SASL or any other form of authentication. The only "authentication" you typically come across involve those nickserv type services. And, as ShelLuser noted, those are just text based IRC messages.


----------



## Deleted member 9563 (Dec 29, 2017)

This is specifically on Freenode. I've got a dozen channels open and every time the server resets I have to authenticate. My clients authenticate too fast and it doesn't work. The Freenode servers reset randomly every 10 minutes to 30 minutes during the holidays. I guess to deal with attacks. During the last year, things have been fine. That is to say that the resets have been infrequent, though I still need to authenticate by hand.

The popular wisdom is that clients need SASL in order to properly authenticate automatically and avoid the race condition. I note that Hexchat does not have the menu items in the FreeBSD version that is shown in on line help. DXirc does not have a menu item either, but I think that DXirc is FreeBSD specific since it appears unknown in the IRC community and does not have anything but a token web presence.

Certainly if there's some other solution it would be worth looking at. I suppose using a ZNC server with SASL is a workaround.


----------



## rigoletto@ (Dec 29, 2017)

I use irc/weechat + irc/znc with SASL authentication to Freenode and I never had this kind of problem. Before this setup I was using irc/irssi (and later irc/irssi + irc/znc) and irc/quassel + irc/quassel-core without any SASL problem.

You can also have automatic authentication using ssl certs.


----------



## scottro (Dec 29, 2017)

I use weechat and irssi, depending upon mood.  In weechat's config which you can do in the program itself, with /set tls I just direct it to the directory with root certificates, e.g
`/set weechat.network.gnutls_ca_file "/usr/local/etc/openssl/cert.pem"` 

Not sure if that's the FreeBSD one, I use it on different machines.

With irssi in my $HOME/.config there's a line pointing to the ssl_ca_file. I've set both of these up so long ago, I really don't remember what I looked for to figure it out.


----------



## Deleted member 9563 (Dec 30, 2017)

SirDice said:


> I'm wondering why you think SASL has anything to do with this. I think this has probably more to do with things like an idle time-out or connection drops.


Yes, the situation is no doubt caused by something else. Unfortunately I have yet to find out what it is. In any case, I am told by Freenode staff that it is my lack of SASL which is causing my client to not automatically authenticate after the connection is dropped. It logs in fine, and very fast, but does not identify.

It seems strange that two clients in the FreeBSD ports, one of which is a very popular one, does not have SASL. And odd that it was dropped in the FreeBSD version but is present in the Linux version. That is why I was wondering if there was something about FreeBSD that would make SASL difficult to implement. The relevant part of the menu in Hexchat is missing in the FreeBSD version.


----------



## ShelLuser (Dec 30, 2017)

OJ said:


> It seems strange that two clients in the FreeBSD ports, one of which is a very popular one, does not have SASL. And odd that it was dropped in the FreeBSD version but is present in the Linux version. That is why I was wondering if there was something about FreeBSD that would make SASL difficult to implement. The relevant part of the menu in Hexchat is missing in the FreeBSD version.


Agreed. You could always contact the port maintainer (see `make maintainer`) to ask him about it.

In the mean time I'm planning to look into this as well. I spend around 20 years hanging around on IRC (mostly Undernet) but that was years ago. I also can't help wonder about some things because when reading the comments above it looks more like a TLS based issue to me. Though I'm not sure, because I do remember one thing about FreeNode which is the verify string it used to send you which you then had to send back in order to verify yourself to be human. It's been a while since I messed with IRC, seems like a good time to tinker.

My favorite clients are epic4 (ircII), but then moved into irssi. And since then I also discovered kvirc.

If I can discover something useful I'll report back.


----------



## Deleted member 9563 (Dec 30, 2017)

I thought I might try to connect to an individual server (weber.freenode.net)  instead of the general one (irc.freenode.net). That worked about the same, until some time during the night when it started sending this repeatedly:

```
[2017-12-30 07:29:33] weber.freenode.net's NOTICE: *** Checking Ident
[2017-12-30 07:29:33] weber.freenode.net's NOTICE: *** Couldn't look up your hostname
[2017-12-30 07:29:33] weber.freenode.net's NOTICE: *** No Ident response
```


----------



## ShelLuser (Dec 30, 2017)

OJ said:


> ```
> [2017-12-30 07:29:33] weber.freenode.net's NOTICE: *** Checking Ident
> [2017-12-30 07:29:33] weber.freenode.net's NOTICE: *** Couldn't look up your hostname
> [2017-12-30 07:29:33] weber.freenode.net's NOTICE: *** No Ident response
> ```


Ha, I remember that one!

If you check your firewall I believe it tried to connect to port 113 to contact identd. See also /etc/inetd.conf:


```
# Return error for all "ident" requests
#
#auth   stream  tcp     nowait  root    internal
#auth   stream  tcp6    nowait  root    internal
#
# Provide internally a real "ident" service which provides ~/.fakeid support,
# provides ~/.noident support, reports UNKNOWN as the operating system type
# and times out after 30 seconds.
#
#auth   stream  tcp     nowait  root    internal        auth -r -f -n -o UNKNOWN
#auth   stream  tcp6    nowait  root    internal        auth -r -f -n -o UNKNOWN
#
# Example entry for an external ident server
#
#auth   stream  tcp     wait    root    /usr/local/sbin/identd  identd -w -t120
```
I used to run this on Linux, back in the days when the Net was nicely naive (well.. we didn't have as much compromises as we have now I think) and the IRC servers would actually contact your system in order to verify that you are who you said you were. It made sense at the time, but I also call this naive because it's very easy to spoof this. See also above mentioning of ~/.fakeid. I am a little bit surprised to see that this is still a thing.

And they still don't do hostname masking. Meh, that's the reason I stopped using them, they protect themselves from script kiddies but not their users. Dumb.

But if they still rely on this kind of outdated stuff then I can't help get convinced that SASL isn't necessarily related to your problems. But... that's only my theory so far.

And I found it....  (sorry; it's the evening here, having a good time and I tend to sometimes type while I investigate).

https://freenode.net/kb/answer/sasl

I was right: the only reason SASL is being used on some clients (just spotted support in irc/epic5, interesting) is to eliminate the requirement to (I quote): "_the need to /msg nickserv identify._". So you don't have to rely on SASL, you can just as easily feed your client with a script which will correctly respond to their NickServ.

What that response is and such is something I'll get to really soon.


----------



## ShelLuser (Dec 30, 2017)

Ok, we're almost half an hour further and I haven't been disconnected from the server just yet (logged on, didn't verify). So if you get disconnected then I wonder: disconnected from the channel or from the server? There's a difference here 

But the solution to your problem is also clear: _*/msg nickserv identify <password>*_.  All self-respecting IRC clients support scripting, and most clients usually also provide specific options for nickserv authentication. So if SASL isn't supported then you should rely on this.

However... I still don't believe just yet that this is causing your disconnects. Unless we're talking channel disconnects.

Hope this can help!


----------



## Deleted member 9563 (Dec 30, 2017)

ShelLuser Thanks so much for your interest in this.  

I'm getting disconnected from the server. This is seen in all channels:

```
[11:46:05] Ping timeout
[11:46:05] Server weber.freenode.net was disconnected
```
On the Freenode channel it continues like this:

```
[11:46:10] Connecting to weber.freenode.net
[11:46:11] Connected to weber.freenode.net - port 6667
[11:46:11] weber.freenode.net's NOTICE: *** Looking up your hostname...
[11:46:11] weber.freenode.net's NOTICE: *** Checking Ident
[11:46:11] weber.freenode.net's NOTICE: *** No Ident response
[11:46:11] weber.freenode.net's NOTICE: *** Couldn't look up your hostname
```

PS: I'll get right back to looking in more detail at this. First I have to go shovel snow as we've been snowed in here.
PPS: That Freenode link for setting up SASL on clients is for Linux clients, not FreeBSD ones. And that's one of the things that's stumping me. But yes, some script would likely be it.


----------



## Deleted member 9563 (Dec 30, 2017)

For anybody else jumping into this thread. I asked a question about SASL on FreeBSD and am indeed interested in learning why FreeBSD IRC clients appear not to support that out of the box.

However, the fact that I keep getting disconnects is obviously a completely different issue. I only mentioned it because that is why authenticating is a pressing point for me. I would open another thread for that, but it seems that since I even mentioned that in my original post, people think that is what the thread is about. Well, so be it. I guess that's what we're talking about now instead.  

And I thank everyone for their input too.


----------



## ShelLuser (Dec 30, 2017)

OJ said:


> ShelLuser Thanks so much for your interest in this.
> 
> I'm getting disconnected from the server. This is seen in all channels:
> 
> ...


Aha, now we're getting somewhere.

Ping timeout means just that: a disconnect because a physical connection couldn't be established, also known as lagging out. So you can now officially forget about SASL being the cause of all this. If this would be caused by NickServ then a ping timeout would imply a ban on your IP, which I consider highly unlikely. Also because of my own experiences where I could remain online withing authentication for at least an hour or so.

So unless your whole Internet connection also had issues during that time it could just as easily be a flakey router somewhere or maybe the server itself. I don't know how many servers FreeNode has but you could consider trying another server to see if that changes anything.

Good luck with the snow clearing!

(edit)



OJ said:


> For anybody else jumping into this thread. I asked a question about SASL on FreeBSD and am indeed interested in learning why FreeBSD IRC clients appear not to support that out of the box.


Well... some clients don't. I just learned that irc/irssi, irc/epic5 and irc/kvirc all support it. 

Despite that I still agree with your post earlier: it's weird if a client does support SASL on Linux and not on FreeBSD.


----------



## rigoletto@ (Dec 30, 2017)

OJ

btw, what nick do you use in IRC (Freenode)?


----------



## Deleted member 9563 (Dec 30, 2017)

lebarondemerde said:


> OJ
> 
> btw, what nick do you use in IRC (Freenode)?



I use vvande. Hope to see you there.

PS: you can leave me a note on ##cgs


----------



## Deleted member 9563 (Dec 30, 2017)

ShelLuser said:


> Ping timeout means just that: a disconnect because a physical connection couldn't be established, also known as lagging out. So you can now officially forget about SASL being the cause of all this.



yeah, I'm not hugely bothered by timeouts as it reconnects within 2 seconds. What I really want is to authenticate automatically right away.



ShelLuser said:


> So unless your whole Internet connection also had issues during that time it could just as easily be a flakey router somewhere or maybe the server itself.



You know, I'm starting to think there could be a router issue. It's an ASUS RT-N16. These things do develop hardware in rare cases. I'll look at that, and the firmware on it as well (Tomato Shibby).



ShelLuser said:


> Well... some clients don't. I just learned that irc/irssi, irc/epic5 and irc/kvirc all support it.



Thanks for all your work on this. 

I hate going to all the work of changing clients, but life isn't always on my terms. lol I'll think about it.


----------

