diff options
| author | Sébastien Helleu <flashcode@flashtux.org> | 2020-04-14 21:34:46 +0200 |
|---|---|---|
| committer | Sébastien Helleu <flashcode@flashtux.org> | 2020-04-14 21:38:12 +0200 |
| commit | 9fa3609c85e4b6608d366bed4e47ab9553cd5bc9 (patch) | |
| tree | 9e5a3db61942617a2be5a0300d95703a94a47d76 /doc/en/autogen | |
| parent | ccd45e4921ff5614f65dad6d742a58225fde92a6 (diff) | |
| download | weechat-9fa3609c85e4b6608d366bed4e47ab9553cd5bc9.zip | |
relay: add command "handshake" in weechat relay protocol and nonce to prevent replay attacks (closes #1474)
This introduces a new command called "handshake" in the weechat relay protocol.
It should be sent by the client before the "init" command, to negotiate the way
to authenticate with a password.
3 new options are added:
* relay.network.auth_password
* relay.network.hash_iterations
* relay.network.nonce_size
Diffstat (limited to 'doc/en/autogen')
| -rw-r--r-- | doc/en/autogen/user/relay_options.adoc | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/doc/en/autogen/user/relay_options.adoc b/doc/en/autogen/user/relay_options.adoc index ad86251b0..e80012a79 100644 --- a/doc/en/autogen/user/relay_options.adoc +++ b/doc/en/autogen/user/relay_options.adoc @@ -116,6 +116,12 @@ ** values: any string ** default value: `+""+` +* [[option_relay.network.auth_password]] *relay.network.auth_password* +** description: pass:none[comma separated list of hash algorithms used for password authentication in weechat protocol, among these values: "plain" (password in plain text, not hashed), "sha256", "sha512", "pbkdf2+sha256", "pbkdf2+sha512"), "*" means all algorithms, a name beginning with "!" is a negative value to prevent an algorithm from being used, wildcard "*" is allowed in names (examples: "*", "pbkdf2*", "*,!plain")] +** type: string +** values: any string +** default value: `+"*"+` + * [[option_relay.network.auth_timeout]] *relay.network.auth_timeout* ** description: pass:none[timeout (in seconds) for client authentication: connection is closed if the client is still not authenticated after this delay and the client status is set to "authentication failed" (0 = wait forever)] ** type: integer @@ -140,6 +146,12 @@ ** values: 0 .. 9 ** default value: `+6+` +* [[option_relay.network.hash_iterations]] *relay.network.hash_iterations* +** description: pass:none[number of iterations asked to the client in weechat protocol when a hashed password with algorithm PBKDF2 is used for authentication; more iterations is better in term of security but is slower to compute; this number should not be too high if your CPU is slow] +** type: integer +** values: 1 .. 1000000 +** default value: `+100000+` + * [[option_relay.network.ipv6]] *relay.network.ipv6* ** description: pass:none[listen on IPv6 socket by default (in addition to IPv4 which is default); protocols IPv4 and IPv6 can be forced (individually or together) in the protocol name (see /help relay)] ** type: boolean @@ -152,6 +164,12 @@ ** values: 0 .. 2147483647 ** default value: `+5+` +* [[option_relay.network.nonce_size]] *relay.network.nonce_size* +** description: pass:none[size of nonce (in bytes), generated when a client connects; the client must use this nonce, concatenated to the client nonce and the password when hashing the password in the "init" command of the weechat protocol] +** type: integer +** values: 8 .. 128 +** default value: `+16+` + * [[option_relay.network.password]] *relay.network.password* ** description: pass:none[password required by clients to access this relay (empty value means no password required, see option relay.network.allow_empty_password) (note: content is evaluated, see /help eval)] ** type: string |