Page MenuHomePhabricator

Promote use of SASL for Cloud VPS/Toolforge hosted / Freenode IRC bots
Open, Needs TriagePublic


All IRC connections to public IRC networks originating from the Cloud-VPS/Toolforge network should be required to use SASL authentication. This would provide IRC network moderators with the ability to target individual bots which are misbehaving rather than having to fall back to IP range based blocking as is the worst case today.

Requiring authentication as a part of the process of connecting to IRC can be seen as a similar protection as the currently enforced authentication for MediaWiki API write use from the Cloud VPS/Toolforge network.

The visibility into specific bots this would give to IRC network staff would also make it easier for IRC bot operators to comply with the directive from the Cloud Services Terms of Use to "Do not interfere with other users’ projects, by being respectful of system and network resources".

Proposed implementation

  • Write up a Phabricator task describing the problem and proposed solution
  • Set a reasonably long, but firm, deadline for enforcing SASL auth-only access restrictions for our network addresses
  • Begin education campaign to convert bots to SASL authentication
    • cloud-announce post
    • wikitech documentation
    • phabricator tasks for known bots
  • Work as a community to help get as many bots as possible updated before the deadline
  • Ask IRC network(s) to implement the range restriction


T151704: Libera Chat may throttle bot connections from tools has been an ongoing concern for years. Various attempts have been made to provide IRC network staff with more visibility into the Cloud VPS/Toolforge environment, but these efforts have not led to perfect implementation.

Passing ident requests from IRC network servers through the Wikimedia Cloud NAT gateway and back to Cloud VPS instances has proved to be technically challenging. These challenges are even more pronounced for IRC bots running on the Toolforge Kubernetes cluster which introduces yet another layer of software-defined networking as well as single process containers which would need some sort of proxy or "sidecar" container to actually process the ident request.

Following a recent k-line event involving the shared NAT gateway, discussion turned to alternatives to ident answers to allow IRC network staff to more tightly target blocks against misbehaving and deliberately malicious IRC bots. IRC network staff were able to confirm that ident results would not have been sufficient to prevent the k-line action, but that having all connections behind our NAT gateway authenticated to NickServ would have allowed fine grained blocking.

How to use SASL

Event Timeline

[disclaimer] I have authored this task and I am also a admin user of both Cloud VPS and Toolforge. This is not however currently an initiative being led by the cloud-services-team or Developer-Advocacy. It is instead a proposal for collaborative action by others like me who operate Freenode IRC bots from the Cloud VPS/Toolforge IP space in support of the Wikimedia movement. I would like to help with this effort beyond just writing a Phabricator task, but I also do not want this work to be seen as a solo effort by me or an "official" action by WMCS.

Having had discussions with freenode staff on this, I think this is the right thing to do to protect properly behaving bots. The best analogy is that Wikimedia wikis require that all bots be logged in to edit - this is the same but for freenode instead.

Based on pinging @Krinkle @Rxy @Danilo @Platonides @Petrb @-jem- @stwalkerster @Jyothis (please ignore if your IRC bot doesn't run out of WMCS/Toolforge)

  • Do your bots currently connect with SASL? If not, would it be possible to switch over? Do you see any issues that would prevent you from doing so?
  • How much time would you need to do so? Is 3 months reasonable? 6?
  • What kind of assistance/help/etc. would you like?
  • Any other concerns with this proposal?

I am also willing to work with any developers to the best of my ability to get SASL working on their IRC bot.

I'm not currently running an IRC bot from Toolforge, but I have been using SASL for a long time. That code was already there 5 years ago.

In case this happens to be useful for other bot owners, the relevant code is:

a) send CAP REQ :sasl (plus any other extensions you may want) before NICK and USER lines.

b) in the parsing loop:

case "CAP":
        if (substr_compare($params[3], "ACK :", 0, 5) === 0) {
                $acked_caps = explode(" ", substr($params[3], 5));
                if (in_array("sasl", $acked_caps)) {
                        send("AUTHENTICATE PLAIN");
case "+": // "AUTHENTICATE +"
        if ($params[0] == "AUTHENTICATE") {
                send("AUTHENTICATE " . base64_encode("$botnick\x00$botnick\x00$password"));
case "903": // RPL_SASLSUCCESS
case "904": // ERR_SASLFAIL
        send("CAP END");

come to think about it, there might be a good idea to have some flag which detects if the authentication already finished, thus not letting the server to make you re-authenticate. Albeit if you are connected to a now-compromised server, this might be the least of your worries.

Aklapper renamed this task from Promote use of SASL for Cloud VPS/Toolforge hosted Freenode IRC bots to Promote use of SASL for Cloud VPS/Toolforge hosted / Freenode IRC bots.May 21 2021, 10:23 AM