The "sqlauth" Module (v4)
Description
This module allows connecting users to be authenticated against an arbitrary SQL table.
It only allows checking clients are allowed to connect (the PASS command), and does not provide any sort of user accounts (ie. no nickname registration, NickServ, or SASL).
Configuration
To load this module use the following <module> tag:
<module name="sqlauth">
<sqlauth>
The <sqlauth> tag defines settings about how the sqlauth module should behave. This tag can only be defined once.
| Name | Type | Default Value | Description |
|---|---|---|---|
| column | Text | None | The name of the column that the password is located in. |
| dbid | Text | None | Required! The name of the database connection to execute the query against. |
| hash | Text | md5,sha256 | Deprecated! A comma-delimited list of hash algorithms to check the password against. |
| kdf | Text | None | The name of a KDF to check the password against. |
| killreason | Text | None | Required! The message to kill users that fail to authenticate with. |
| query | Text | None | Required! The SQL query to authenticate users with. If this query returns one or more rows it is considered a success otherwise it is considered a failure. |
| verbose | Boolean | No | Whether to log failed authentications to snomask a (local) and snomask A (remote). |
The query field can contain any of the following template variables:
| Variable | Description |
|---|---|
| $address | The IP address or UNIX socket path of the connecting user. |
| $dhost | The public hostname of the connecting user. |
| $duser | The public username of the connecting user. |
| $host | The real hostname of the connecting user. |
| $md5pass | Deprecated! An MD5 hash of the password sent with /PASS by the connecting user (requires the md5 module). |
| $nick | The nickname of the connecting user. |
| $pass | Deprecated! The password sent with /PASS by the connecting user. |
| $real | The real name of the connecting user. |
| $server | The name of the server the connecting user connected to. |
| $sid | The unique identifier of the server the connecting user connected to. |
| $sha256pass | Deprecated! A SHA-256 hash of the password sent with /PASS by the connecting user (requires the sha2 module). |
| $user | The real username of the connecting user. |
| $uuid | The UUID of the connecting user. |
Example Usage
Checks the password by comparing against a database field specified in the config:
<sqlauth column="password"
kdf="bcrypt"
dbid="sqlauth"
killreason="Access denied"
query="SELECT * FROM users WHERE name='$nick' LIMIT 1"
verbose="no">
Deprecated! Checks the password using the existence of a row returned from the database:
<sqlauth hash="sha256"
dbid="sqlauth"
killreason="Access denied"
query="SELECT * FROM users WHERE name='$nick' AND password='$sha256pass' LIMIT 1"
verbose="no">
<sqlexemption>
The <sqlexemption> tag defines nick!user@host or nick!user@ip/cidr mask which are exempt from the authentication requirement. This tag can be defined as many times as required.
| Name | Type | Default Value | Description |
|---|---|---|---|
| mask | Text | None | Required! A nick!user@host or nick!user@ip/cidr mask which is exempt from the authentication requirement. |
Example Usage
<sqlexemption mask="*!*@127.0.0.0/8">
Special Notes
The following hashing modules are included with InspIRCd:
| Algorithm | Module(s) | Description |
|---|---|---|
| argon2d | argon2 | Hashes using the Argon2d algorithm. |
| argon2i | argon2 | Hashes using the Argon2i algorithm. |
| argon2id | argon2 | Hashes using the Argon2id algorithm. |
| bcrypt | bcrypt | Hashes using the bcrypt algorithm. |
| hmac-md5 | password_hash, md5 | Deprecated! Hashes using the MD5 and HMAC algorithms. |
| hmac-sha1 | password_hash, sha1 | Hashes using the SHA-1 and HMAC algorithms. |
| hmac-sha224 | password_hash, sha2 | Hashes using the SHA-224 and HMAC algorithms. |
| hmac-sha256 | password_hash, sha2 | Hashes using the SHA-256 and HMAC algorithms. |
| hmac-sha384 | password_hash, sha2 | Hashes using the SHA-384 and HMAC algorithms. |
| hmac-sha512 | password_hash, sha2 | Hashes using the SHA-512 and HMAC algorithms. |
| md5 | md5 | Deprecated! Hashes using the MD5 algorithm. |
| pbkdf2-hmac-md5 | pbkdf2, md5 | Deprecated! Hashes using the MD5 and PBKDF2 algorithms. |
| pbkdf2-hmac-sha1 | pbkdf2, sha1 | Hashes using the SHA-1 and PBKDF2 algorithms. |
| pbkdf2-hmac-sha224 | pbkdf2, sha2 | Hashes using the SHA-224 and PBKDF2 algorithms. |
| pbkdf2-hmac-sha256 | pbkdf2, sha2 | Hashes using the SHA-256 and PBKDF2 algorithms. |
| pbkdf2-hmac-sha384 | pbkdf2, sha2 | Hashes using the SHA-384 and PBKDF2 algorithms. |
| pbkdf2-hmac-sha512 | pbkdf2, sha2 | Hashes using the SHA-512 and PBKDF2 algorithms. |
| sha1 | sha1 | Hashes using the SHA-1 algorithm. |
| sha224 | sha2 | Hashes using the SHA-224 algorithm. |
| sha256 | sha2 | Hashes using the SHA-256 algorithm. |
| sha384 | sha2 | Hashes using the SHA-384 algorithm. |
| sha512 | sha2 | Hashes using the SHA-512 algorithm. |
The following SQL modules are included with InspIRCd:
| Engine | Module | Description |
|---|---|---|
| mysql | mysql | Queries a MySQL database. |
| pgsql | pgsql | Queries a PostgreSQL database. |
| sqlite3 | sqlite3 | Queries an SQLite database. |