Anope IRC Services

Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1]   Go Down

Author Topic: nickserv & chanserv Security  (Read 7733 times)

0 Members and 1 Guest are viewing this topic.

steven_elvisda

  • Guest
nickserv & chanserv Security
« on: March 27, 2006, 07:58:03 AM »

i want to request nickserv security.

1. when user change their password nick or channel anope services should send 1 passcode(verify code) to their email for make sure that. that user being change password is reall owner of his/her nick or channel.

2. oper(level services admin) should be have one command to see passcode(verify code) automatically when user come to about their passcode.

I hope that this two feature will rellease the next versoin of anope services :)

best regard,
Thanks.
Logged

Julory

  • Guest
(No subject)
« Reply #1 on: March 28, 2006, 04:34:08 AM »

Well, if an user has access to the SET PASSWORD command, he has also access to the SET EMAIL command. There is no need to verify the identity of the user by e-mail when this user is completely able to change the e-mail address which will be verified ;) If you are not the real owner of a nick and you want to change its password, then you will simply change the e-mail address before modifying the password, no ?

This does not add real security to the modification of passwords :)
Logged

steven_elvisda

  • Guest
(No subject)
« Reply #2 on: March 28, 2006, 05:41:35 AM »

Quote
Originally posted by Julory
Well, if an user has access to the SET PASSWORD command, he has also access to the SET EMAIL command. There is no need to verify the identity of the user by e-mail when this user is completely able to change the e-mail address which will be verified ;) If you are not the real owner of a nick and you want to change its password, then you will simply change the e-mail address before modifying the password, no ?

This does not add real security to the modification of passwords :)

well, according to ur idea I should add more idea bout that.

3. when user change their email we should have send passcode(verify code) to their email address make sure that user is owner of that nick.
:)
Logged

FuRiOuS

  • Guest
(No subject)
« Reply #3 on: March 28, 2006, 05:47:28 AM »

Wait though that's not always cool, because I just recently switched ISP's which means a whole NEW email addy.  I can't access my old one anymore at all.  So I wouldn't be able to get the verify code.  What to do then?  This sounds like a great idea, but in practice I think it would be a pain in the arse to actually work out.
Logged

magicsleeper

  • Guest
(No subject)
« Reply #4 on: May 12, 2006, 03:24:35 AM »

Quote
Originally posted by steven_elvisda
i want to request nickserv security.

1. when user change their password nick or channel anope services should send 1 passcode(verify code) to their email for make sure that. that user being change password is reall owner of his/her nick or channel.

2. oper(level services admin) should be have one command to see passcode(verify code) automatically when user come to about their passcode.

I hope that this two feature will rellease the next versoin of anope services :)

best regard,
Thanks.


what about some Services Admin commands
a. /os verify nick/channel emailaddress
=> for changing the emailaddress of a users nick
b. /os getvid nick/channel
=> for opers to see the verification pass
c. /ns sver nick and /cs sver channel
=> to send verification id
d. /ns cver nick and /cs cver channel
=> to cancel verification id

when a Services Admin gets an info about a nick or chan:

whenever a user changes its nick password it should say
* This nickname has an outstanding password change request verification.

whenever a user registers a nick or channel it should say
* This nickname has an outstanding new registration verification.

whenever a user changes his/her nicks email it should say
* This nickname has an outstanding e-mail change (to newemailaddress@domain) verification.

plus whenever a Services Admin uses OS commands global notice should be sent ...
whenever a user uses these (ns and cs) commands appropriate services notices should be sent to the user, stating it should read his/her email

[Edited on 12-5-2006 by magicsleeper]
Logged

Dave Robson

  • Team
  • *
  • Offline Offline
  • Posts: 357
(No subject)
« Reply #5 on: May 12, 2006, 08:02:39 AM »

Services admins can already set the email for any nick at will.
Services admins can already "confirm" an email verification code without knowing it.

The point of email verification was never to ensure admins always had valid contact details for users.  It was to try and prevent bot's mass registering.  As such, there is no reason for anope to prevent the user from changing the email to something else _after_ they have been confirmed as a real user.  

If you want to ensure your email setting for users is always valid, dont allow users to change there email address at all?

Whatever solution here is best for your network, a module is almost certainly the way to go as we will never get agreement from "the masses" as to which way is best, a module would allow you to do what you want without effecting anyone else.

[Edited on 12-5-2006 by Rob]
Logged

dragoonkain

  • Guest
(No subject)
« Reply #6 on: May 14, 2006, 08:37:28 PM »

If somebody wants to write a module for this, I can go ahead and outline how "one network's" services handle things...

Firstly, users who forget their password need to have it "SENDPASSED" to their email address. Helpops and Opers for now have access to this (this is going to change in the future).  The SENDPASS does not actually send the password, instead it sends a verification code to RESET the password

Secondly, Password changes must be verified through an email verification. See above. (command to reset would be /ns verify (code) (new password)

Third, an email change would require the user to verify the change via email.  *** If the user does not verify within a set amount of time (21 days?) the email is automatically changed *** /ns verify cancel would prevent any verification.

Services Admins have the ability to reset a password, cancel verifications, and/or SENDPASS to alternate email accounts. Regular services opers do not have these abilities.

These set of rules have been working out pretty well for some time, and there is getting to be almost no need for opers anymore. :P

There are several differences between how we do things that would be hard to implement in Anope, for example channels not having passwords, and are instead tied to the founder's nickname. But anyway...

Just a few suggestions
Logged
Pages: [1]   Go Up