Anope IRC Services

Anope Development => Feature Requests => Topic started by: steven_elvisda on March 27, 2006, 07:58:03 AM

Title: nickserv & chanserv Security
Post by: steven_elvisda on March 27, 2006, 07:58:03 AM
i want to request nickserv security.

1. when user change their password nick or channel anope services should send 1 passcode(verify code) to their email for make sure that. that user being change password is reall owner of his/her nick or channel.

2. oper(level services admin) should be have one command to see passcode(verify code) automatically when user come to about their passcode.

I hope that this two feature will rellease the next versoin of anope services :)

best regard,
Thanks.
Title:
Post by: Julory on March 28, 2006, 04:34:08 AM
Well, if an user has access to the SET PASSWORD command, he has also access to the SET EMAIL command. There is no need to verify the identity of the user by e-mail when this user is completely able to change the e-mail address which will be verified ;) If you are not the real owner of a nick and you want to change its password, then you will simply change the e-mail address before modifying the password, no ?

This does not add real security to the modification of passwords :)
Title:
Post by: steven_elvisda on March 28, 2006, 05:41:35 AM
Quote
Originally posted by Julory
Well, if an user has access to the SET PASSWORD command, he has also access to the SET EMAIL command. There is no need to verify the identity of the user by e-mail when this user is completely able to change the e-mail address which will be verified ;) If you are not the real owner of a nick and you want to change its password, then you will simply change the e-mail address before modifying the password, no ?

This does not add real security to the modification of passwords :)

well, according to ur idea I should add more idea bout that.

3. when user change their email we should have send passcode(verify code) to their email address make sure that user is owner of that nick.
:)
Title:
Post by: FuRiOuS on March 28, 2006, 05:47:28 AM
Wait though that's not always cool, because I just recently switched ISP's which means a whole NEW email addy.  I can't access my old one anymore at all.  So I wouldn't be able to get the verify code.  What to do then?  This sounds like a great idea, but in practice I think it would be a pain in the arse to actually work out.
Title:
Post by: magicsleeper on May 12, 2006, 03:24:35 AM
Quote
Originally posted by steven_elvisda
i want to request nickserv security.

1. when user change their password nick or channel anope services should send 1 passcode(verify code) to their email for make sure that. that user being change password is reall owner of his/her nick or channel.

2. oper(level services admin) should be have one command to see passcode(verify code) automatically when user come to about their passcode.

I hope that this two feature will rellease the next versoin of anope services :)

best regard,
Thanks.


what about some Services Admin commands
a. /os verify nick/channel emailaddress
=> for changing the emailaddress of a users nick
b. /os getvid nick/channel
=> for opers to see the verification pass
c. /ns sver nick and /cs sver channel
=> to send verification id
d. /ns cver nick and /cs cver channel
=> to cancel verification id

when a Services Admin gets an info about a nick or chan:

whenever a user changes its nick password it should say
* This nickname has an outstanding password change request verification.

whenever a user registers a nick or channel it should say
* This nickname has an outstanding new registration verification.

whenever a user changes his/her nicks email it should say
* This nickname has an outstanding e-mail change (to newemailaddress@domain) verification.

plus whenever a Services Admin uses OS commands global notice should be sent ...
whenever a user uses these (ns and cs) commands appropriate services notices should be sent to the user, stating it should read his/her email

[Edited on 12-5-2006 by magicsleeper]
Title:
Post by: Dave Robson on May 12, 2006, 08:02:39 AM
Services admins can already set the email for any nick at will.
Services admins can already "confirm" an email verification code without knowing it.

The point of email verification was never to ensure admins always had valid contact details for users.  It was to try and prevent bot's mass registering.  As such, there is no reason for anope to prevent the user from changing the email to something else _after_ they have been confirmed as a real user.  

If you want to ensure your email setting for users is always valid, dont allow users to change there email address at all?

Whatever solution here is best for your network, a module is almost certainly the way to go as we will never get agreement from "the masses" as to which way is best, a module would allow you to do what you want without effecting anyone else.

[Edited on 12-5-2006 by Rob]
Title:
Post by: dragoonkain on May 14, 2006, 08:37:28 PM
If somebody wants to write a module for this, I can go ahead and outline how "one network's" services handle things...

Firstly, users who forget their password need to have it "SENDPASSED" to their email address. Helpops and Opers for now have access to this (this is going to change in the future).  The SENDPASS does not actually send the password, instead it sends a verification code to RESET the password

Secondly, Password changes must be verified through an email verification. See above. (command to reset would be /ns verify (code) (new password)

Third, an email change would require the user to verify the change via email.  *** If the user does not verify within a set amount of time (21 days?) the email is automatically changed *** /ns verify cancel would prevent any verification.

Services Admins have the ability to reset a password, cancel verifications, and/or SENDPASS to alternate email accounts. Regular services opers do not have these abilities.

These set of rules have been working out pretty well for some time, and there is getting to be almost no need for opers anymore. :P

There are several differences between how we do things that would be hard to implement in Anope, for example channels not having passwords, and are instead tied to the founder's nickname. But anyway...

Just a few suggestions