/* hidden_caps: client capabilities we'll pretend we don't support until they're requested */
#hidden_caps = "userhost-in-names";
+
+ /* oper_secure_only: require TLS on any connection trying to oper up */
+ oper_secure_only = no;
};
modules {
int max_ratelimit_tokens;
int away_interval;
int tls_ciphers_oper_only;
+ int oper_secure_only;
char **hidden_caps;
{ "certfp_method", CF_STRING, conf_set_general_certfp_method, 0, NULL },
{ "drain_reason", CF_QSTRING, NULL, BUFSIZE, &ConfigFileEntry.drain_reason },
{ "tls_ciphers_oper_only", CF_YESNO, NULL, 0, &ConfigFileEntry.tls_ciphers_oper_only },
+ { "oper_secure_only", CF_YESNO, NULL, 0, &ConfigFileEntry.oper_secure_only },
{ "\0", 0, NULL, 0, NULL }
};
ConfigFileEntry.max_ratelimit_tokens = 30;
ConfigFileEntry.away_interval = 30;
ConfigFileEntry.tls_ciphers_oper_only = false;
+ ConfigFileEntry.oper_secure_only = false;
#ifdef HAVE_LIBZ
ConfigFileEntry.compression_level = 4;
size_t cnt;
int len = 0;
+ if (ConfigFileEntry.oper_secure_only && !IsSecureClient(source_p))
+ {
+ sendto_one_notice(source_p, ":You must be using a secure connection to /CHALLENGE on this server");
+ if (ConfigFileEntry.failed_oper_notice)
+ {
+ sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
+ "Failed CHALLENGE attempt - missing secure connection by %s (%s@%s)",
+ source_p->name, source_p->username, source_p->host);
+ }
+ return;
+ }
+
/* if theyre an oper, reprint oper motd and ignore */
if(IsOper(source_p))
{
sendto_one_notice(source_p, ":%s already has privilege set %s.", target_p->name, target_p->user->privset->name);
return 0;
}
+
+ if (ConfigFileEntry.oper_secure_only && !IsSecureClient(target_p))
+ {
+ sendto_one_notice(source_p, ":Cannot GRANT %s, opers must be using secure connections.", target_p->name);
+ return 0;
+ }
}
if (!dodeoper)
"Links rehash delay",
INFO_DECIMAL(&ConfigServerHide.links_delay),
},
+ {
+ "oper_secure_only",
+ "Require TLS to become an oper",
+ INFO_INTBOOL_YN(&ConfigFileEntry.oper_secure_only),
+ },
{ NULL, NULL, 0, { NULL } },
};
name = parv[1];
password = parv[2];
+ if (ConfigFileEntry.oper_secure_only && !IsSecureClient(source_p))
+ {
+ sendto_one_notice(source_p, ":You must be using a secure connection to /OPER on this server");
+ if (ConfigFileEntry.failed_oper_notice)
+ {
+ sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
+ "Failed OPER attempt - missing secure connection by %s (%s@%s)",
+ source_p->name, source_p->username, source_p->host);
+ }
+ return;
+ }
+
if(IsOper(source_p))
{
sendto_one(source_p, form_str(RPL_YOUREOPER), me.name, source_p->name);