2016년 6월 18일 토요일

irssi 0.8.18+ SASL / SSL authentication config

As of v0.8.18, irssi irc client has native support for SASL (Simple Authentication and Security Layer). Because irssi < 0.8.18 didn't have SASL support, the old workaround was to copy the Perl script cap_sasl.pl to ~/.irssi/scripts/autorun/ . My old irssi config file contained something like the following:

Freenode = {
    type = "IRC";
    max_kicks = "1";
    max_msgs = "4";
    max_whois = "1";
    sasl_mechanism = "plain";
    sasl_username = "archjun";
    sasl_password = "myPlainTextPW";
  };

Hardcoding my Freenode password into the irssi config was dumb because this file managed in my dotfiles repository on github so everyone could see the password. I later realized my mistake and had to remove the file from my git repo, rewrite the git history and remove refs to the deleted file:

git filter-branch --index-filter 'git rm --cached --ignore-unmatch fileName

Beware that the command above will DELETE fileName despite the --cached flag. Before you run this command make sure to backup the original file somewhere.

I decided not to use regular passwords for irc authentication on Freenode and to use SSL passwordless auth instead. There is a great guide for this on the Archlinux wiki:

https://wiki.archlinux.org/index.php/irssi#SSL_Connection

After following the steps now my Freenode entry in ~/.irssi/config looks like this:

...
  {
    address = "chat.freenode.net";
    chatnet = "Freenode";
    port = "6697";
    use_ssl = "yes";
    ssl_cert = "~/.irssi/irssi.pem";
    ssl_pass = "";
    ssl_verify = "yes";
    ssl_capath = "/etc/ssl/certs";
  },
...

*Note 2016-12-13: You should no longer specify ssl_capath when defining servers in the irssi config file. Reference: https://github.com/NixOS/nixpkgs/issues/16651

The above was automatically generated by irssi when I invoked /save after registering my SSL key with Freenode NickServ.

Looking at this syntax, I think it might be possible to replace the plain-text sasl_password in my old irssi config file with something like:

sasl_password = "~/.irssi/mypw.txt"

And then add mypw.txt to .gitignore to avoid accidentally including my password in a public git repo.

Now when I /connect Freenode with SSL cert auth enabled, my nick is authenticated automatically. Very convenient!

댓글 없음:

댓글 쓰기