The "sqlauth" Module (v4)

Description

This module allows connecting users to be authenticated against an arbitrary SQL table.

It only allows checking clients are allowed to connect (the PASS command), and does not provide any sort of user accounts (ie. no nickname registration, NickServ, or SASL).

Configuration

To load this module use the following <module> tag:

<module name="sqlauth">

<sqlauth>

The <sqlauth> tag defines settings about how the sqlauth module should behave. This tag can only be defined once.

Name Type Default Value Description
column Text None The name of the column that the password is located in.
dbid Text None Required! The name of the database connection to execute the query against.
hash Text md5,sha256 Deprecated! A comma-delimited list of hash algorithms to check the password against.
kdf Text None The name of a KDF to check the password against.
killreason Text None Required! The message to kill users that fail to authenticate with.
query Text None Required! The SQL query to authenticate users with. If this query returns one or more rows it is considered a success otherwise it is considered a failure.
verbose Boolean No Whether to log failed authentications to snomask a (local) and snomask A (remote).

The query field can contain any of the following template variables:

Variable Description
$address The IP address or UNIX socket path of the connecting user.
$dhost The public hostname of the connecting user.
$duser The public username of the connecting user.
$host The real hostname of the connecting user.
$md5pass Deprecated! An MD5 hash of the password sent with /PASS by the connecting user (requires the md5 module).
$nick The nickname of the connecting user.
$pass Deprecated! The password sent with /PASS by the connecting user.
$real The real name of the connecting user.
$server The name of the server the connecting user connected to.
$sid The unique identifier of the server the connecting user connected to.
$sha256pass Deprecated! A SHA-256 hash of the password sent with /PASS by the connecting user (requires the sha2 module).
$user The real username of the connecting user.
$uuid The UUID of the connecting user.
Example Usage

Checks the password by comparing against a database field specified in the config:

<sqlauth column="password"
         kdf="bcrypt"
         dbid="sqlauth"
         killreason="Access denied"
         query="SELECT * FROM users WHERE name='$nick' LIMIT 1"
         verbose="no">

Deprecated! Checks the password using the existence of a row returned from the database:

<sqlauth hash="sha256"
         dbid="sqlauth"
         killreason="Access denied"
         query="SELECT * FROM users WHERE name='$nick' AND password='$sha256pass' LIMIT 1"
         verbose="no">

<sqlexemption>

The <sqlexemption> tag defines nick!user@host or nick!user@ip/cidr mask which are exempt from the authentication requirement. This tag can be defined as many times as required.

Name Type Default Value Description
mask Text None Required! A nick!user@host or nick!user@ip/cidr mask which is exempt from the authentication requirement.
Example Usage
<sqlexemption mask="*!*@127.0.0.0/8">

Special Notes

The following hashing modules are included with InspIRCd:

Algorithm Module(s) Description
argon2d argon2 Hashes using the Argon2d algorithm.
argon2i argon2 Hashes using the Argon2i algorithm.
argon2id argon2 Hashes using the Argon2id algorithm.
bcrypt bcrypt Hashes using the bcrypt algorithm.
hmac-md5 password_hash, md5 Deprecated! Hashes using the MD5 and HMAC algorithms.
hmac-sha1 password_hash, sha1 Hashes using the SHA-1 and HMAC algorithms.
hmac-sha224 password_hash, sha2 Hashes using the SHA-224 and HMAC algorithms.
hmac-sha256 password_hash, sha2 Hashes using the SHA-256 and HMAC algorithms.
hmac-sha384 password_hash, sha2 Hashes using the SHA-384 and HMAC algorithms.
hmac-sha512 password_hash, sha2 Hashes using the SHA-512 and HMAC algorithms.
md5 md5 Deprecated! Hashes using the MD5 algorithm.
pbkdf2-hmac-md5 pbkdf2, md5 Deprecated! Hashes using the MD5 and PBKDF2 algorithms.
pbkdf2-hmac-sha1 pbkdf2, sha1 Hashes using the SHA-1 and PBKDF2 algorithms.
pbkdf2-hmac-sha224 pbkdf2, sha2 Hashes using the SHA-224 and PBKDF2 algorithms.
pbkdf2-hmac-sha256 pbkdf2, sha2 Hashes using the SHA-256 and PBKDF2 algorithms.
pbkdf2-hmac-sha384 pbkdf2, sha2 Hashes using the SHA-384 and PBKDF2 algorithms.
pbkdf2-hmac-sha512 pbkdf2, sha2 Hashes using the SHA-512 and PBKDF2 algorithms.
sha1 sha1 Hashes using the SHA-1 algorithm.
sha224 sha2 Hashes using the SHA-224 algorithm.
sha256 sha2 Hashes using the SHA-256 algorithm.
sha384 sha2 Hashes using the SHA-384 algorithm.
sha512 sha2 Hashes using the SHA-512 algorithm.

The following SQL modules are included with InspIRCd:

Engine Module Description
mysql mysql Queries a MySQL database.
pgsql pgsql Queries a PostgreSQL database.
sqlite3 sqlite3 Queries an SQLite database.