RageIRCd v2.0 (bluemoon): Authentication System
-----------------------------------------------

$Id: auth.txt,v 1.6.2.1 2005/02/21 02:32:45 amcwilliam Exp $
(C) 2000-2005 the RageIRCd Development Team, all rights reserved.

With previous versions of RageIRCd, server admins have only been able to 
enable or dissable password encryption at compile-time. The strength of 
password encryption was also pretty weak, as the system used only DES (or 
MD5 if supported).

RageIRCd v2.0 introduces a new "per-password" encryption mechanism, allowing 
server admins to specify whether a single password should be encrypted 
or not. This configuration is done through the use of auth{} sections 
within top-level config blocks. Auth{} sections are dynamic, and so 
settings are config-time, meaning you simply rehash to change it.

Auth{} sections also provide different types of password encryption. These 
are provided below, in order of strength, from the top. Note: encryption 
types prepended with * require OpenSSL support at compile-time.

Type                Info
----------------------------------------------
ripemd/160          160-bit RIPEMD hash*
sha1/160            160-bit SHA1 hash*
md5/128             128-bit MD5 hash*
des/56              56-bit DES-based hash
md5/56              56-bit MD5-based hash
plaintext           Clear (no hashing)

Auth{} sections are currently present in allow{}, oper{}, and link{} top-level
config blocks. Servinfo{} blocks also contained two auth{} sections, for /DIE
and /RESTART passwords. However, they were removed in beta-2 due to the way in
which oper privileges for these function are assigned.

The syntax of the auth{} section is outlined below. As you can see, the 
example used is that of an auth{} section within an oper{} block. The 
password type is plaintext. Thus, the password string is specified in 
clear text.

oper alasdair {
	auth {
		string "ThisIsMyPassword";
		type plaintext;
	};
	...
};

The next auth{} example is from a vhost{} block. As you can see, the 
password type is ripemd/160. Therefore the specified password string is 
encrypted, and cannot be read.

vhost microsoft.com {
	auth {
		string "DDk7LopO093748gF5GJva3Z8ekk=";
		type ripemd/160;
	};
	...
};

NB. Passwords encrypted using OpenSSL are converted to base-64 form, as 
    the plain encrypted text is unprintable, and considerably long. Such 
    passwords are therefore guaranteed to contain at least one "=" 
    character. Due to the nature of the RageIRCd v2.0 conf parser, this 
    character WILL be ignored, unless placed within quotation marks (per 
    the above examples).

Contained within the RageIRCd v2.0 distribution is a small utility called 
"mkpasswd". This is compiled with ircd, and installed along-side it. It is 
provided to allow server admins to quickly and easily generate encrypted 
password strings at command prompt. Run ./rageircd mkpasswd -help for 
further information and syntaxe.

End of document.
