PBKDF2 transition: Difference between revisions
(Created page with "== Transitioning to PBKDF2 from Blowfish == With the release of Eggdrop 1.9.0, an updated crytopgraphy module (PBKDF2) was released for use with Eggdrop. PBKDF2 is a one-way hashing algorithm used to protect the contents of the password file, as well as for use via the Tcl interface. Prior to this, blowfish was used for cryptographic requirements, such as hashing passwords for storage in the userfile. == Running Eggdrop for the first time? == TL;DR: comment out the 'l...") |
(PBKDF2 upgrade options) |
||
Line 23: | Line 23: | ||
==== Enabling hybrid configuration ==== | ==== Enabling hybrid configuration ==== | ||
# BACK UP YOUR USERFILE! This is the file that usually ends with '.user' | |||
# Ensure<br><pre>loadmodule blowfish</pre>is added to the config file and not commented out (it should already be there). | |||
# Ensure<br><pre>loadmodule pbkdf2</pre> is uncommented in the config file (or added, if this is a config file from 1.8) | |||
# Start Eggdrop | |||
# If this is your first time starting this Eggdrop, follow the instructions it gives you at startup to identify yourself. Otherwise, for an existing Eggdrop where you are already added to the userfile, log in as usual to the partyline via telnet or DCC, or authenticate via a message command like /msg bot op <password> | |||
# Sit back and enjoy a cold beverage, you did it! Now encourage the rest of your users to log in so that their passwords are updated to the new format as well. | |||
=== Solo configuration === | |||
With a solo configuration, Eggdrop will only run the pbkdf2 module. Eggdrop will not be able to authenticate against passwords in an already-existing userfile and thus will require every user to set a | With a solo configuration, Eggdrop will only run the pbkdf2 module. Eggdrop will not be able to authenticate against passwords in an already-existing userfile and thus will require every user to set a | ||
Line 49: | Line 37: | ||
SECURITY CONSIDERATION: This configuration is not ideal for transitioning an existing userfile to PBKDF2. Without the blowfish module loaded, every user in the userfile essentially has no password set. This means any other user that matches a hostmask applied to a handle (!@*.aol.com, I'm looking at you) could set the password and gain access to that user's Eggdrop account. | SECURITY CONSIDERATION: This configuration is not ideal for transitioning an existing userfile to PBKDF2. Without the blowfish module loaded, every user in the userfile essentially has no password set. This means any other user that matches a hostmask applied to a handle (!@*.aol.com, I'm looking at you) could set the password and gain access to that user's Eggdrop account. | ||
==== Enabling solo configuration ==== | |||
# BACK UP YOUR USERFILE! This is the file that usually ends with ".user'" | |||
# Remove or comment<br<pre>loadmodule blowfish</pre> from your config file. | |||
# Ensure<br><pre>loadmodule pbkdf2</pre> is uncommented (or added, if this is a config file from 1.8) from your config file. | |||
# Start Eggdrop | |||
# If this is your first time starting this Eggdrop, follow the instructions it gives you at startup to identify yourself. Otherwise, for an existing Eggdrop where you are already added to the userfile, set a new password via /msg bot PASS <password> | |||
# Sit back and enjoy a fancy lobster dinner, you did it! If there are other users already added to the bot, DEFINITELY encourage them to set a new password IMMEDIATELY! |
Latest revision as of 17:10, 19 July 2022
Transitioning to PBKDF2 from Blowfish
With the release of Eggdrop 1.9.0, an updated crytopgraphy module (PBKDF2) was released for use with Eggdrop. PBKDF2 is a one-way hashing algorithm used to protect the contents of the password file, as well as for use via the Tcl interface. Prior to this, blowfish was used for cryptographic requirements, such as hashing passwords for storage in the userfile.
Running Eggdrop for the first time?
TL;DR: comment out the 'loadmodule blowfish' line. You don't need or want it for a new Eggdrop install.
The default configuration of Eggdrop 1.9.0 has both the blowfish and pbkdf2 modules enabled (see Hybrid Configuration below). This will allow users upgrading a seamless transition to the PBKDF2 module. For users starting an Eggdrop for the first time, it is recommended to comment out the 'loadmodule blowfish' line, in order to implement the Solo Configuration method.
What about botnets?
If you are linking bots, you'll need to ensure the same module is loaded on both bots (ie, if the hub bot is using the pbkdf2 module, the leaf bots must have pbkdf2 loaded as well in order to enable authentication checks).
Upgrade Scenarios
There are two ways to implement PBKDF2- Hybrid configuration, which is recommended for transitioning an already-existing userfile to PBKDF2 by working with the blowfish module, and Solo configuration, which is recommended for use when starting a new Eggdrop for the first time.
Hybrid Configuration
With a hybrid configuration, Eggdrop will run both the blowfish and the pbkdf2 modules concurrently. This will allow Eggdrop to authenticate users against their existing blowfish passwords stored in the userfile. However, the first time a user logs in, the pbkdf2 module will hash the (correct) password they enter and save it to the userfile. The pbkdf2-hashed password will then be used for all future logins.
Enabling hybrid configuration
- BACK UP YOUR USERFILE! This is the file that usually ends with '.user'
- Ensure
loadmodule blowfish
is added to the config file and not commented out (it should already be there). - Ensure
loadmodule pbkdf2
is uncommented in the config file (or added, if this is a config file from 1.8) - Start Eggdrop
- If this is your first time starting this Eggdrop, follow the instructions it gives you at startup to identify yourself. Otherwise, for an existing Eggdrop where you are already added to the userfile, log in as usual to the partyline via telnet or DCC, or authenticate via a message command like /msg bot op <password>
- Sit back and enjoy a cold beverage, you did it! Now encourage the rest of your users to log in so that their passwords are updated to the new format as well.
Solo configuration
With a solo configuration, Eggdrop will only run the pbkdf2 module. Eggdrop will not be able to authenticate against passwords in an already-existing userfile and thus will require every user to set a password again, as if they were just added to Eggdrop. This can be done via the PASS msg command (/msg bot PASS <password>) or by having a user with appropriate permissions (and an already-set password) log into the partyline and use the '.chpass' command.
SECURITY CONSIDERATION: This configuration is not ideal for transitioning an existing userfile to PBKDF2. Without the blowfish module loaded, every user in the userfile essentially has no password set. This means any other user that matches a hostmask applied to a handle (!@*.aol.com, I'm looking at you) could set the password and gain access to that user's Eggdrop account.
Enabling solo configuration
- BACK UP YOUR USERFILE! This is the file that usually ends with ".user'"
- Remove or comment<br
loadmodule blowfish
from your config file. - Ensure
loadmodule pbkdf2
is uncommented (or added, if this is a config file from 1.8) from your config file. - Start Eggdrop
- If this is your first time starting this Eggdrop, follow the instructions it gives you at startup to identify yourself. Otherwise, for an existing Eggdrop where you are already added to the userfile, set a new password via /msg bot PASS <password>
- Sit back and enjoy a fancy lobster dinner, you did it! If there are other users already added to the bot, DEFINITELY encourage them to set a new password IMMEDIATELY!