summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/conf/modules.conf.example7
-rw-r--r--src/modules/m_sasl.cpp4
2 files changed, 11 insertions, 0 deletions
diff --git a/docs/conf/modules.conf.example b/docs/conf/modules.conf.example
index b39ee5d2b..8e193904d 100644
--- a/docs/conf/modules.conf.example
+++ b/docs/conf/modules.conf.example
@@ -1591,6 +1591,13 @@
# Layer via AUTHENTICATE. Note: You also need to have m_cap.so loaded
# for SASL to work.
#<module name="m_sasl.so">
+# Define the following to your services server name to improve security
+# by ensuring the SASL messages are only sent to the services server
+# and not to all connected servers. This prevents a rogue server from
+# capturing SASL messages. Having this defined can also improve client
+# connections when your services are down, as the client will be told
+# that SASL failed rather than just timing out on registration.
+#<sasl target="services.mynetwork.com">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Secure list module: Prevent /LIST in the first minute of connection,
diff --git a/src/modules/m_sasl.cpp b/src/modules/m_sasl.cpp
index 5afab9502..8ac43fba7 100644
--- a/src/modules/m_sasl.cpp
+++ b/src/modules/m_sasl.cpp
@@ -35,6 +35,10 @@ static void SendSASL(const parameterlist& params)
{
if (!ServerInstance->PI->SendEncapsulatedData(params))
{
+ User* u = ServerInstance->FindUUID(params[2]);
+ if (u)
+ u->WriteNumeric(904, "%s :SASL authentication failed", u->nick.c_str());
+
SASLFallback(NULL, params);
}
}