From a4f1805b29a4071b72b58ef8e8d1a293d7e55053 Mon Sep 17 00:00:00 2001 From: Michael Ortmann <41313082+michaelortmann@users.noreply.github.com> Date: Wed, 16 Oct 2024 15:06:54 +0200 Subject: [PATCH] Update doc firststeps - fingerprint and nickserv magick --- doc/sphinx_source/tutorials/firststeps.rst | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/doc/sphinx_source/tutorials/firststeps.rst b/doc/sphinx_source/tutorials/firststeps.rst index 368d8605e..598f08157 100644 --- a/doc/sphinx_source/tutorials/firststeps.rst +++ b/doc/sphinx_source/tutorials/firststeps.rst @@ -150,15 +150,19 @@ Simple Authentication and Security Layer (SASL) is becoming a prevalant method o * **PLAIN**: To use this method, set sasl-mechanism to 0. This method passes the username and password (set in the sasl-username and sasl-password config file settings) to the IRC server in plaintext. If you only connect to the IRC server using a connection protected by SSL/TLS this is a generally safe method of authentication; however you probably want to avoid this method if you connect to a server on a non-protected port as the exchange itself is not encrypted. -* **ECDSA-NIST256P-CHALLENGE**: To use this method, set sasl-mechanism to 1. This method uses a public/private keypair to authenticate, so no username/password is required. Not all servers support this method. If your server does support this, you you must generate a certificate pair using:: +* **ECDSA-NIST256P-CHALLENGE**: To use this method, set sasl-mechanism to 1. This method uses a public/private keypair to authenticate, so no username/password is required. Not all servers support this method. If your server does support this, you must generate a certificate pair using:: openssl ecparam -genkey -name prime256v1 -out eggdrop-ecdsa.pem You will need to determine your public key fingerprint by using:: - openssl ec -noout -text -conv_form compressed -in eggdrop-ecdsa.pem | grep '^pub:' -A 3 | tail -n 3 | tr -d ' \n:' | xxd -r -p | base64 + openssl ec -noout -text -conv_form compressed -in eggdrop-ecdsa.pem 2>/dev/null | grep '^pub:' -A 3 | tail -n 3 | tr -d ' \n:' | xxd -r -p | base64 - Then, authenticate with your NickServ service and register your public certificate with NickServ. You can view your public key On Libera for example, it is done by:: + If error "xxd: command not found" you could install vim, because xxd is a part of vim, or you could try python:: + + openssl ec -noout -text -conv_form compressed -in eggdrop-ecdsa.pem 2>/dev/null| grep '^pub:' -A 3 | tail -n 3 | tr -d ' \n:' | python -c "import base64,sys;print(base64.b64encode(bytearray.fromhex(sys.stdin.readline())).decode())" + + Then, authenticate with your NickServ service and register your public certificate with NickServ. On Libera for example, it is done by:: /msg NickServ set pubkey @@ -173,3 +177,7 @@ You will need to determine your public key fingerprint by using:: Then, ensure you have those keys loaded in the ssl-privatekey and ssl-certificate settings in the config file. Finally, to add this certificate to your NickServ account, type:: /msg NickServ cert add + +Alternatively you could connect via ssl and if NickServ supports it, make it automatically determine and add your fingerprint in just the right format: + + /msg NickServ cert add