Connect to Freenode with Irssi through SSL and SASL

Tags irc irssi
Posted by Logan

My dynamic IP address, which is provided by my ISP, seems to be blocked by Freenode (because it is easy for us to get another IP.) According to the error message, I should connect and login with SASL. It took me a while to figure out a solution, thus I believe that it worths writing my attempts in a blog post.

This post will cover two topics:

  • How to enable SASL support in Irssi 0.8.17?
  • How to exchange public keys manually?

Add SASL Support to Irssi

As of writing, Irssi 0.8.17 is the version which we can installed with apt on Ubuntu 15.10. But, unfortunately, it does not include SASL support. Although the latest Irssi 0.8.18 adds the SASL support, it will take some time to propagate through different Linux distributions. Thus, we have to manually install SASL plug-in to our Irssi 0.8.17 installation.

Yet another concern is that SASL plug-in requires Crypt::PK::ECC module from CPAN. However, there is no prebuilt Debian packages for this Perl module. We have to build it by ourselves.

In summary, there are three steps to do:

  1. Configure CPAN, the Perl module repository and installation manager.
  2. Build and install Crypt::PK::ECC Perl module.
  3. Install SASL plug-in.

Let's start!

Configure CPAN

If you are a Linux end-user, it is unlikely for you to install a Perl module via cpan. As a result, ~/.cpan doesn't exist and you have to configure cpan first.

To configure cpan, simply run cpan -v, and answer several questions:

$ cpan -v
Sorry, we have to rerun the configuration dialog for CPAN.pm due to
some missing parameters. Configuration will be written to
 <</home/logan/.cpan/CPAN/MyConfig.pm>>

CPAN.pm requires configuration, but most of it can be done automatically.
If you answer 'no' below, you will enter an interactive dialog for each
configuration option instead.

Would you like to configure as much as possible automatically? [yes]

First, you will be asked whether to create the configuration file with default options or not. We can choose yes and press enter.

<install_help>

Warning: You do not have write permission for Perl library directories.

To install modules, you need to configure a local Perl library directory or
escalate your privileges.  CPAN can help you by bootstrapping the local::lib
module or by configuring itself to use 'sudo' (if available).  You may also
resolve this problem manually if you need to customize your setup.

What approach do you want?  (Choose 'local::lib', 'sudo' or 'manual')
 [local::lib] manual

Second, you will be asked about the installation destination. Choose manual so that we can resolve the problem by ourselves.

Build a Debian Package of a Perl Module

Although we can install Perl packages with cpan, packing it as a Debian package makes it easier to uninstall them in the future. Fortunately, it is easy to pack one with dh-make-perl.

First, we have to install dh-make-perl:

$ sudo apt-get install dh-make-perl

Second, we can create a Debian package with:

$ dh-make-perl --build --cpan Crypt::PK::ECC
== dh-make-perl 0.87 ==
# ... output skipped ...

Third, we can install the Debian package with:

$ sudo dpkg -i libcryptx-perl_*.deb

OPTIONAL: You can remove ~/.cpan directory and dh-make-perl package now (if you wish.) We don't need them anymore.

Install SASL Plug-in

Finally, we can install SASL plug-in for Irssi:

# Create a scripts directory
$ mkdir -p ~/.irssi/scripts/autorun

# Download the SASL plug-in for Irssi
$ wget -O ~/.irssi/scripts/cal_sasl.pl \
    https://raw.githubusercontent.com/atheme/atheme/master/contrib/cap_sasl.pl

# Create a soft link so that it will be loaded automatically
$ ln -s ../cal_sasl.pl ~/.irssi/scripts/autorun

Setup SASL for Freenode

If you can connect to Freenode, you can enable SASL simply by doing:

/sasl keygen
/sasl save

However, unfortunately, if you can't connect to Freenode without SASL, then you have to set up the settings by yourself.

First, generate a pair of public and private keys with:

/sasl keygen [NETWORK-NAME]

Note: Please replace [NETWORK-NAME] with the network name you would like to use. In my example, it is freenode.

A message will be printed:

15:29 -!- Irssi: /sasl set freenode <nick> sasl-ecdsa-freenode.key
          ECDSA-NIST256P-CHALLENGE
15:29 -!- Irssi: SASL: submit your pubkey to freenode:
15:29 -!- Irssi: /msg NickServ SET PUBKEY
          Anp3i5dEPsFsV9zI00b5YN/c8/JNEwwlo7TLdsMdaL7O

From this message, we know that:

  1. The private key is available at $HOME/.irssi/sasl-ecdsa-freenode.key.
  2. The public key is Anp3i5dEPsFsV9zI00b5YN/c8/JNEwwlo7TLdsMdaL7O. You will need the public key in the upcoming step.

Second, ask Irssi to loaded the private key with:

/sasl set [NETWORK-NAME] [NICK] [PRIVATE-KEY-PATH] ECDSA-NIST256P-CHALLENGE
/sasl save

Note: Please replace [NETWORK-NAME] with the network name, [NICK] with your nick name on the network, and [PRIVATE-KEY-PATH] with your private key file path printed above.

Third, log in Freenode via Freenode Web IRC. Authenticate for the nick name with:

/msg NickServ identify [PASSWORD]

And then, set the public key with:

/msg NickServ SET PUBKEY [KEY]

Logout from the Freenode Web IRC with:

/quit

Finally, you should be able to connect to Freenode with Irssi:

$ irssi

Remarks

Although this might be off-topic, I am connecting to Freenode with SSL encryption as well. If you do care about your privacy and/or data integrity, it will be a good idea to enable SSL encryption. This is my Irssi server configuration:

{
  address = "irc.freenode.net";
  chatnet = "freenode";
  port = "6697";
  password = "[PASSWORD]";
  use_ssl = "yes";
  ssl_verify = "yes";
},