Page MenuHomePhabricator
Create Task
Maniphest T278584

Promote use of SASL for Cloud VPS/Toolforge hosted Libera.chat / Freenode IRC bots
Open, Needs TriagePublic
Actions

Description

All IRC connections to public IRC networks originating from the Cloud-VPS/Toolforge network should be required to use SASL authentication. This would provide IRC network moderators with the ability to target individual bots which are misbehaving rather than having to fall back to IP range based blocking as is the worst case today.

Requiring authentication as a part of the process of connecting to IRC can be seen as a similar protection as the currently enforced authentication for MediaWiki API write use from the Cloud VPS/Toolforge network.

The visibility into specific bots this would give to IRC network staff would also make it easier for IRC bot operators to comply with the directive from the Cloud Services Terms of Use to "Do not interfere with other users’ projects, by being respectful of system and network resources".

Proposed implementation

  • Write up a Phabricator task describing the problem and proposed solution
  • Set a reasonably long, but firm, deadline for enforcing SASL auth-only access restrictions for our network addresses
  • Begin education campaign to convert bots to SASL authentication
    • cloud-announce post
    • wikitech documentation
    • phabricator tasks for known bots
  • Work as a community to help get as many bots as possible updated before the deadline
  • Ask IRC network(s) to implement the range restriction

Rationale

T151704: Libera Chat may throttle bot connections from tools has been an ongoing concern for years. Various attempts have been made to provide IRC network staff with more visibility into the Cloud VPS/Toolforge environment, but these efforts have not led to perfect implementation.

Passing ident requests from IRC network servers through the Wikimedia Cloud NAT gateway and back to Cloud VPS instances has proved to be technically challenging. These challenges are even more pronounced for IRC bots running on the Toolforge Kubernetes cluster which introduces yet another layer of software-defined networking as well as single process containers which would need some sort of proxy or "sidecar" container to actually process the ident request.

Following a recent k-line event involving the shared nat.openstack.eqiad1.wikimediacloud.org NAT gateway, discussion turned to alternatives to ident answers to allow IRC network staff to more tightly target blocks against misbehaving and deliberately malicious IRC bots. IRC network staff were able to confirm that ident results would not have been sufficient to prevent the k-line action, but that having all connections behind our NAT gateway authenticated to NickServ would have allowed fine grained blocking.

How to use SASL

Related Objects
Search...

Event Timeline

bd808 created this task.Mar 26 2021, 8:25 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 26 2021, 8:25 PM
bd808 added a parent task: T151704: Libera Chat may throttle bot connections from tools.Mar 26 2021, 8:26 PM
bd808 added subtasks: Restricted Task, T275664: wikibugs should authenticate using SASL, T200922: Have wm-bot use SASL or solve global bans problem.
bd808 added a comment.Mar 26 2021, 8:33 PM

[disclaimer] I have authored this task and I am also a admin user of both Cloud VPS and Toolforge. This is not however currently an initiative being led by the cloud-services-team or Developer-Advocacy. It is instead a proposal for collaborative action by others like me who operate Freenode IRC bots from the Cloud VPS/Toolforge IP space in support of the Wikimedia movement. I would like to help with this effort beyond just writing a Phabricator task, but I also do not want this work to be seen as a solo effort by me or an "official" action by WMCS.

taavi subscribed.Mar 26 2021, 8:35 PM
Legoktm subscribed.Mar 26 2021, 8:44 PM

Having had discussions with freenode staff on this, I think this is the right thing to do to protect properly behaving bots. The best analogy is that Wikimedia wikis require that all bots be logged in to edit - this is the same but for freenode instead.

Legoktm added subscribers: Jyothis, stwalkerster, Platonides and 5 others.Mar 26 2021, 8:55 PM

Based on https://meta.wikimedia.org/wiki/IRC/Bots pinging @Krinkle @Rxy @Danilo @Platonides @Petrb @-jem- @stwalkerster @Jyothis (please ignore if your IRC bot doesn't run out of WMCS/Toolforge)

  • Do your bots currently connect with SASL? If not, would it be possible to switch over? Do you see any issues that would prevent you from doing so?
  • How much time would you need to do so? Is 3 months reasonable? 6?
  • What kind of assistance/help/etc. would you like?
  • Any other concerns with this proposal?
Sario528 subscribed.Mar 26 2021, 10:19 PM
bd808 updated the task description. (Show Details)Mar 26 2021, 10:34 PM
Peachey88 subscribed.Mar 26 2021, 10:42 PM
Zppix subscribed.Mar 26 2021, 11:24 PM

I am also willing to work with any developers to the best of my ability to get SASL working on their IRC bot.

taavi added a subtask: T278628: Use SASL in SULWatcher.Mar 27 2021, 6:33 PM
Platonides added a comment.Mar 28 2021, 1:02 AM

I'm not currently running an IRC bot from Toolforge, but I have been using SASL for a long time. That code was already there 5 years ago.

In case this happens to be useful for other bot owners, the relevant code is:

a) send CAP REQ :sasl (plus any other extensions you may want) before NICK and USER lines.

b) in the parsing loop:

case "CAP":
        if (substr_compare($params[3], "ACK :", 0, 5) === 0) {
                # http://ircv3.net/specs/extensions/sasl-3.1.html
                $acked_caps = explode(" ", substr($params[3], 5));
                if (in_array("sasl", $acked_caps)) {
                        send("AUTHENTICATE PLAIN");
                }
        }
        break;
case "+": // "AUTHENTICATE +"
        if ($params[0] == "AUTHENTICATE") {
                send("AUTHENTICATE " . base64_encode("$botnick\x00$botnick\x00$password"));
        }
        break;
case "903": // RPL_SASLSUCCESS
case "904": // ERR_SASLFAIL
        send("CAP END");
        break;

come to think about it, there might be a good idea to have some flag which detects if the authentication already finished, thus not letting the server to make you re-authenticate. Albeit if you are connected to a now-compromised server, this might be the least of your worries.

taavi closed subtask T278628: Use SASL in SULWatcher as Resolved.May 9 2021, 11:37 AM
Aklapper renamed this task from Promote use of SASL for Cloud VPS/Toolforge hosted Freenode IRC bots to Promote use of SASL for Cloud VPS/Toolforge hosted Libera.chat / Freenode IRC bots.May 21 2021, 10:23 AM
bd808 mentioned this in T151704: Libera Chat may throttle bot connections from tools.May 24 2021, 11:17 PM
bd808 updated the task description. (Show Details)May 24 2021, 11:21 PM
Legoktm closed subtask T275664: wikibugs should authenticate using SASL as Resolved.May 30 2021, 5:44 AM
Krinkle awarded a token.Jul 11 2021, 1:45 AM
bd808 mentioned this in T286695: Request creation of wikisp VPS project.Jul 22 2021, 10:04 PM
bd808 added a subtask: T287265: profile::icinga::ircbot trying to run icinga-wm without proper password from monitoring Cloud VPS project.Jul 23 2021, 4:48 PM
fgiunchedi closed subtask T287265: profile::icinga::ircbot trying to run icinga-wm without proper password from monitoring Cloud VPS project as Resolved.Jul 26 2021, 10:07 AM
bd808 mentioned this in T357729: wikibugs having a hard time staying connected to libera.chat IRC network.Feb 16 2024, 9:37 PM
GeneralNotability subscribed.Mar 23 2024, 10:52 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL