#34 closed defect (fixed)

Update znc to v1.7 when possible

Reported by: mbooth Owned by: mbooth
Priority: major Milestone: The Hand Wavy Future
Component: service: irc Keywords:
Cc:

Description (last modified by mbooth)

The new 1.7 version of ZNC adds the AuthOnlyViaModule config option that allows you to fully disable ZNC's built-in password checking mechanism and the SSLKeyFile config option that allows you to separately specify a private key file for your SSL cert.

It's crazy, but ZNC's current behaviour in earlier versions is to check your password against the LDAP OR against your password in znc.conf (if there is one) -- thus a misconfigured ZNC could still let you in with an old password even if you changed your password in the LDAP!

In addition, ZNC currently doesn't really work with letsencypt certificate provisioning. I believe this is because the private key is in a separate file and there is no config option to separately specify a private key.

Change History (9)

comment:1 Changed 16 months ago by mbooth

Description: modified (diff)

comment:2 Changed 16 months ago by mbooth

Description: modified (diff)

comment:3 Changed 16 months ago by mbooth

One upgraded, we can get ansible to fixup the znc.conf to point to the right cert and private key.

In the mean time, the manual step of:

cat irc.darkpeak.org.pem irc.darkpeak.org.key > server.pem

Is needed to keep the ZNC certificate current.

comment:4 Changed 16 months ago by mbooth

1.7.1 is in testing, but not stable-backports so I emailed the debian maintainers to ask if there will be a backport for stretch. Updates to follow, hopefully.

comment:5 in reply to:  4 Changed 16 months ago by mbooth

Replying to mbooth:

1.7.1 is in testing, but not stable-backports so I emailed the debian maintainers to ask if there will be a backport for stretch. Updates to follow, hopefully.

Good news: The maintainers say this work is on the horizon.

comment:6 Changed 14 months ago by mbooth

Looks like the work is done:

On Mon, 17 Sep 2018 at 11:12, Mattia Rizzolo <mattia@…> wrote:

Hi!

On Tue, Jul 24, 2018 at 03:50:15PM +0100, Mat Booth wrote:

Good to know, thanks for your time :-)

Took me a while, but I finally got to this.

I've just now uploaded znc_1.7.1-2~bpo9+1_amd64.changes targetting
stretch-backports.

If you wish, I have also uploaded that package to my repo at
https://people.debian.org/~mattia/repos/znc-push (signed with my usual
key).

comment:7 Changed 14 months ago by mbooth

Owner: changed from somebody to mbooth
Status: newassigned

comment:8 Changed 13 months ago by mbooth

Resolution: fixed
Status: assignedresolved

Fixed in [9b3d55f6] and [e3fa7634].

ZNC no longer relies on concatenated key/cert files and will no longer allow you to log in with its own built'in user authentication mechanism.

comment:9 Changed 11 months ago by ejs

Status: resolvedclosed
Note: See TracTickets for help on using tickets.