diff options
-rw-r--r-- | docs/conf/modules.conf.example | 7 | ||||
-rw-r--r-- | src/modules/m_sasl.cpp | 4 |
2 files changed, 11 insertions, 0 deletions
diff --git a/docs/conf/modules.conf.example b/docs/conf/modules.conf.example index b39ee5d2b..8e193904d 100644 --- a/docs/conf/modules.conf.example +++ b/docs/conf/modules.conf.example @@ -1591,6 +1591,13 @@ # Layer via AUTHENTICATE. Note: You also need to have m_cap.so loaded # for SASL to work. #<module name="m_sasl.so"> +# Define the following to your services server name to improve security +# by ensuring the SASL messages are only sent to the services server +# and not to all connected servers. This prevents a rogue server from +# capturing SASL messages. Having this defined can also improve client +# connections when your services are down, as the client will be told +# that SASL failed rather than just timing out on registration. +#<sasl target="services.mynetwork.com"> #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# # Secure list module: Prevent /LIST in the first minute of connection, diff --git a/src/modules/m_sasl.cpp b/src/modules/m_sasl.cpp index 5afab9502..8ac43fba7 100644 --- a/src/modules/m_sasl.cpp +++ b/src/modules/m_sasl.cpp @@ -35,6 +35,10 @@ static void SendSASL(const parameterlist& params) { if (!ServerInstance->PI->SendEncapsulatedData(params)) { + User* u = ServerInstance->FindUUID(params[2]); + if (u) + u->WriteNumeric(904, "%s :SASL authentication failed", u->nick.c_str()); + SASLFallback(NULL, params); } } |