So after having to log in to #debian on freenode IRC several times while trying to fix a little udevd problem I had (thanks nsadmin and someone else I can’t find in the logs anymore… though I solved the problem by brute force, uninstalling and reinstalling udev thanks to this post) I finally decided to go through the one-time hassle of setting up authentication to avoid having to enter my password in plain text every time I log.
I’m using Debian Squeeze (6.0) with irssi 0.8.15.
After asking on #freenode how I could do this, I was told “SSL/SASL authentication”, and a Google search yielded Aaron Toponce’s useful howto for irssi, my client of choice. Of course, with Linux, mileage always varies since everyone’s setup (or in my case, attention span) is decidedly unique. So I started off trying the first command, which worked:
/server add -auto -ssl -network freenode_ssl irc.freenode.net 7070
which in turn required that I download the gandi.net certificate (in DER format). The conversion from DER to PEM worked smoothly, again as mentioned on the howto. Root or superuser permissions required for writing into the /usr/ tree:
cd /usr/share/ca-certificates mkdir gandi.net cd gandi.net wget http://crt.gandi.net/GandiStandardSSLCA.crt openssl x509 -inform der -outform pem < /usr/share/ca-certificates/gandi.net/GandiStandardSSLCA.crt > GandiStandardSSLCA.pem ln -s /usr/share/ca-certificates/gandi.net/GandiStandardSSLCA.pm /etc/ssl/certs/GandiStandardSSLCA.pem
As he’d mentioned, the first attempt at authentication failed. So I decided to skip ahead and grab the list of certs, which apparently can be found in Debian repositories as ca-certificates, i.e. a simple apt-get would suffice. His link to https://irc.freenode.net:7070 no longer allows a certificate download, though, so I tried:
apt-get install ca-certificates
…and I found of course that it was already installed. Whee. Accordingly, I removed the previous definition for freenode in my .irssi/config and ran this line:
/server add -auto -ssl -ssl_verify -ssl_capath /etc/ssl/certs -network freenode irc.freenode.net 6697
which settled the first step: SSL was set up.
Next, on to SASL: this was really the part that I wanted, the automated auth to Nickserv without putting your password in plaintext in some file. SSL wasn’t necessary, but why not secure your connection while you’re at it right?
Aaron’s pointer to a Perl script worked, but maybe Chromium mucked it up and gave me cap-sasl.download instead, which meant a rename was needed. Not much trouble, but maybe this might be better (I added steps to create the necessary directories first, since I didn’t have them):
mkdir ~/.irssi/scripts mkdir ~/.irssi/scripts/autorun && cd ~/.irssi/scripts wget http://freenode.net/sasl/cap_sasl.pl -O cap_sasl.pl ln -s cap_sasl.pl autorun/cap_sasl.pl
Linking it allows you to remove it from autorun should you decide SASL is no longer your thing, and to add it back later if you change your mind. So anyhow, it’s time to finish up. Run irssi – oh wait, some libraries are missing. At this point it might have been better to follow his advice (sort of) and apt-get install my way to victory:
apt-get install libcrypt-blowfish-perl libcrypt-dh-perl libcrypt-openssl-bignum-perl
But having heard of CPAN I decided to use that instead. You have to be root to install the libraries, so as root, run cpan and in the interactive prompt:
get Crypt::Blowfish Crypt::OpenSSL::Bignum Crypt::DH install Crypt::OpenSSL::Bignum Crypt::Blowfish Crypt::DH
which incidentally I only thought of combining onto one line while writing this today, three days after the fact 😛
Remember to log out of root when you don’t need to install stuff into /usr any more, and then run irssi and issue the following commands. The first was added for good measure, but really is redundant since cap_sasl.pl should be run automatically.
/run cap_sasl.pl /sasl set freenode_ssl <primary_nick> <password> DH-BLOWFISH /sasl save /save
And you’re set! Running irssi will automatically authenticate you to freenode. 🙂