Skip to content

/ irc-core

Automatically authenticating to NickServ

Jump to bottom
Eric Mertens edited this page Aug 1, 2020 · 4 revisions

This article is targeted at connecting to Freenode, but the concepts should translate to other servers.

Version 2.36 and later

SASL is configured under the sasl: key in a server configuration. Three mechanisms are supported as shown below.

SASL: Username and Password (PLAIN)

Authenticate using a username and password sent to the server.

  * name:        "fn"
    hostname:    "chat.freenode.net"
    nick:        "mynick"
    sasl:
      mechanism: plain -- this line is optional
      username:  "myaccount"
      password:  "mypassword"

Loading a password using a keychain manager is possible using the command: field. This example uses macOS's built-in keychain support.

    sasl:
      username: "myaccount"
      password: command: ["security", "find-generic-password", "-s", "Freenode", "-w"]

SASL: Username and ECDSA key (ECDSA-NIST256P-CHALLENGE)

Freenode also supports authentication using a public/private key pair using ECDSA-NIST256p-CHALLENGE. To configure this you'll need ecdsatool.

Assign your public key to NickServ

/msg NickServ SET PUBKEY <THEPUBLICKEY>

Update your configuration file. Remember that relative paths are relative to the configuration file.

  * name:          "fn"
    hostname:      "chat.freenode.net"
    nick:          "myaccount"
    sasl:
      mechanism:   ecdsa-nist256p-challenge
      username:    "myaccount"
      private-key: "path/to/key.pem"

SASL: TLS Client Certificate (EXTERNAL)

You can authenticate to NickServ via the TLS layer using TLS client certificates. The process is documented in the CertFP article on Freenode.

/msg NickServ CERT ADD

  * name           : "fn"
    hostname       : "chat.freenode.net"
    nick           : "mynick"
    sasl: mechanism: external
    tls            : yes
    tls-client-cert: "path/to/cert.pem"
    tis-client-key : "path/to/key.pem"   -- optional if key is stored in cert file

Version 2.35 and earlier

SASL: Username and Password (PLAIN)

To authenticate to NickServ during the connection process you can specify your username and password in your configuration file as part of the server setting.

Required configuration: sasl-username: <username>, sasl-password: <password>

  * name           : "fn"
    hostname       : "chat.freenode.net"
    nick           : "mynick"
    sasl-username  : "myaccount"
    sasl-password  : "mypassword"

SASL: Username and ECDSA key (ECDSA-NIST256P-CHALLENGE)

Freenode also supports authentication using a public/private key pair using ECDSA-NIST256p-CHALLENGE. To configure this you'll need ecdsatool.

Assign your public key to NickServ

/msg NickServ SET PUBKEY <THEPUBLICKEY>

Update your configuration file. Remember that relative paths are relative to the configuration file.

Required configuration: sasl-username: <username>, sasl-ecdsa-key: <filepath>

  * name           : "fn"
    hostname       : "chat.freenode.net"
    nick           : "myaccount"
    sasl-username  : "myaccount"
    sasl-ecdsa-key : "path/to/key.pem"

SASL: TLS Client Certificate (EXTERNAL)

You can authenticate to NickServ via the TLS layer using TLS client certificates. The process is documented in the CertFP article on Freenode.

Required configuration: tls: yes, sasl-username: <username>, tls-client-cert: <filepath>

/msg NickServ CERT ADD <CERTIFICATEFINGERPRINT>

  * name           : "fn"
    hostname       : "chat.freenode.net"
    nick           : "mynick"
    sasl-username  : "myaccount"
    tls            : yes
    tls-client-cert: "path/to/cert.pem"
    tis-client-key : "path/to/key.pem"   -- optional if key is stored in cert file
Clone this wiki locally