Anope IRC Services

Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1]   Go Down

Author Topic: Restrict the use of getpass to certains opers.  (Read 9554 times)

0 Members and 1 Guest are viewing this topic.

Erik

  • Anope User
  • Offline Offline
  • Posts: 9
Restrict the use of getpass to certains opers.
« on: May 03, 2011, 11:36:11 AM »

How can I restrict the use of getpass command (NS and CS) to certains roots?
For instance, adding an extra layer security level, lets say, protecting this command with a password, or, setting the nicks of SA or SRA in the main conf file.
Useful info, we do not wanna encrypt the passwords..

We got 4 Netadmins.
Me, and another Netadm, we want to restrict this to the others 2. The other 2 Netadms belongs to another server linked to us.
« Last Edit: May 03, 2011, 11:41:10 AM by Erik »
Logged

Jan Milants

  • Team
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 1372
Re: Restrict the use of getpass to certains opers.
« Reply #1 on: May 03, 2011, 11:41:21 AM »

you write a custom module..

if you don't trust someone, don't give them root... don't give them oper to begin with tbh..
Logged
If you like me donate coins to 1FBmZVT4J8WAUMHKqpWhgNVj3XXnRN1cCk :)

Erik

  • Anope User
  • Offline Offline
  • Posts: 9
Re: Restrict the use of getpass to certains opers.
« Reply #2 on: May 03, 2011, 11:44:05 AM »

Yes, but thats not the situation, their are already roots.
I just want to know if this is possible given the circumstances.
Just that.
Logged

Jan Milants

  • Team
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 1372
Re: Restrict the use of getpass to certains opers.
« Reply #3 on: May 03, 2011, 11:46:05 AM »

giving someone root can be undone...

anyhow, as i said, technically it s possible, but it s not something anope provides so you will have to write your own module to handle it..
Logged
If you like me donate coins to 1FBmZVT4J8WAUMHKqpWhgNVj3XXnRN1cCk :)

Erik

  • Anope User
  • Offline Offline
  • Posts: 9
Re: Restrict the use of getpass to certains opers.
« Reply #4 on: May 03, 2011, 11:49:06 AM »

We got 4 servers linked to each other.
Now we got 1 more, linked to 1 of our 4 servers.
This 2 roots only have o-lines on his own server.
The services server is controled by us, me and my other root can see the passwords. So my question is: do this other 2 roots of the another server will be able to use getpass?
Logged

Charles Kingsley

  • Contributor
  • *
  • Offline Offline
  • Posts: 1405
Re: Restrict the use of getpass to certains opers.
« Reply #5 on: May 03, 2011, 11:52:34 AM »

We got 4 servers linked to each other.
Now we got 1 more, linked to 1 of our 4 servers.
This 2 roots only have o-lines on his own server.
The services server is controled by us, me and my other root can see the passwords. So my question is: do this other 2 roots of the another server will be able to use getpass?

1) Use encryption and protect your users so nobody can see their passwords.
2) Don't give people root you don't trust, that's not an anope problem it's a user education problem.

Even if you did "limit" their root account don't you think they'd ask why?

Use encryption, protect your users data, don't do a <large company recently whose data was stolen revealing usernames/passwords in plain text>.
Logged

Erik

  • Anope User
  • Offline Offline
  • Posts: 9
Re: Restrict the use of getpass to certains opers.
« Reply #6 on: May 03, 2011, 12:03:29 PM »

Simple answer, due this (and only) particular situation: IS NOT POSSIBLE.

Thank you guys.
Logged

Erik

  • Anope User
  • Offline Offline
  • Posts: 9
Re: Restrict the use of getpass to certains opers.
« Reply #7 on: May 03, 2011, 12:12:58 PM »

I understand the facts that surround the best practices of/to:
- writting a well structured main conf
- give no high-level status to untrusted people
- compile some modules for this, that, those
- complete separation of services server and ircd server.
- etcetera.

The situation here, is set.
We don't wanna encrypt the passwords. (even knowing that this is the best idea/solution).

Again, thank you.
Logged

Jan Milants

  • Team
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 1372
Re: Restrict the use of getpass to certains opers.
« Reply #8 on: May 03, 2011, 12:57:54 PM »

Simple answer: no, all roots can use getpass..
doesn't matter where an oline is.. an oline gives identical power to all servers on hte network.. if they are a global oper on server a they can still kill osers on servers b c and d, even if they have no oline there.

You can modify standard behaviour by using modules, but we are definitely not going to provide functionality in anopes core to accommodate admins intend on ignoring best practices yet still wanting some security.. if it was up to me support for plain-text password storage in anope would be removed altogether..
Logged
If you like me donate coins to 1FBmZVT4J8WAUMHKqpWhgNVj3XXnRN1cCk :)

katsklaw

  • Supporter
  • Anope User
  • Offline Offline
  • Posts: 537
Re: Restrict the use of getpass to certains opers.
« Reply #9 on: May 04, 2011, 02:50:56 AM »

This module available as soon as it's approved: getpass_pass. http://modules.anope.org/index.php?page=view&id=221

Enjoy.
Logged

Erik

  • Anope User
  • Offline Offline
  • Posts: 9
Re: Restrict the use of getpass to certains opers.
« Reply #10 on: May 04, 2011, 05:41:49 PM »

This module available as soon as it's approved: getpass_pass. http://modules.anope.org/index.php?page=view&id=221

Enjoy.

Thank you very much katsklaw, this module IS the solution.
Recently compiled, works OK on Anope 1.7.21.

Use:
Code: [Select]
/msg nickserv getpass <nick> <password>
/msg chanserv getpass <channel> <password>
/ns getpass <nick> <password>
/ns getpass <channel> <password>

Againg, thank you!
Logged

katsklaw

  • Supporter
  • Anope User
  • Offline Offline
  • Posts: 537
Re: Restrict the use of getpass to certains opers.
« Reply #11 on: May 05, 2011, 01:53:13 AM »

no prob.
« Last Edit: May 05, 2011, 10:13:51 PM by katsklaw »
Logged
Pages: [1]   Go Up