Need to expose UI element for IRC server password

NEW
Unassigned

Status

defect
5 years ago
2 months ago

People

(Reporter: tv, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

Reporter

Description

5 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release)
Build ID: 20140506152807

Steps to reproduce:

Create IRC chat account with password filled in, in order to login to company-private IRC server.


Actual results:

Server stalled waiting for the IRC command "PASS <foo>". (And since the chat interface doesn't support /QUOTE, it can't be entered manually either.)

The code in ircServices.jsm appears to use the account password for NickServ identification (IDENTIFY command and/or messaging NickServ with IDENTIFY).


Expected results:

Server should receive "PASS <password>" command.

If necessary, an advanced IRC option for storing a *server* password (as opposed to a NickServ password) could be added. As it stands today, there is no way to login to an IRC server that requires protocol-level authentication.

This is similar in concept to, and would address the issue of, bug 904829, which involves IRC bouncers (these act like IRC servers requiring protocol-level auth as well).
Reporter

Updated

5 years ago
See Also: → 904829
Reporter

Updated

5 years ago
See Also: → 919180
Reporter

Comment 1

5 years ago
The workaround is to set:

messenger.account.accountN.options.serverPassword

as a string value. This was difficult to discover and is discussed in bug 919180 and the thread:

http://mozilla.6506.n7.nabble.com/Problems-using-IRC-in-latest-quot-Daily-quot-td305566.html

This bug is open because the workaround isn't adequate; this should be exposed in the UI. There is some discussion about this in the thread link above.
The solution is in the other bugs you referenced:
(In reply to aleth [:aleth] from bug #919180, comment #1)
> As a workaround, try setting the about:config pref
> messenger.account.accountN.serverPassword (where N is the number of the
> account) to your password. This should make TB send PASS.

I believe that bug also gives the reasons as to why this isn't exposed in the advanced preferences menu (pretty much "because it's stored in plaintext").

This is sent at [1]. As far as I can tell this is WORKSFORME.

The chat code does actually support /quote command btw [2], but there isn't really a place to type it in until after the account is connected.

[1] https://mxr.mozilla.org/comm-central/source/chat/protocols/irc/irc.js#1614
[2] https://mxr.mozilla.org/comm-central/source/chat/protocols/irc/ircCommands.jsm#392
If you want to make this bug about exposing that preference, we can do that but the bug title is currently wrong. Thunderbird *CAN* connect to servers that require a server password.
Reporter

Updated

5 years ago
Summary: Cannot connect to IRC server requiring a server password → Need to expose UI element for IRC server password
I can't find my full description of what needs to be done for me to consider this fixed (I thought I had a really nice description somewhere...), so here goes:
1. Implement the "masked" property (or add a password type or something like that): this needs to be a password field in the UI AND store the value in the password manager.
2. Add the serverPassword property to IRC (this should be trivial).

I probably won't have time to look at this soon.
Status: UNCONFIRMED → NEW
Component: Instant Messaging → IRC
Ever confirmed: true
OS: Linux → All
Product: Thunderbird → Chat Core
Hardware: x86_64 → All
Version: 25 → trunk
Nominally assigning.
Assignee: nobody → clokep
Status: NEW → ASSIGNED
Duplicate of this bug: 1184898
Posted patch WIP v1Splinter Review
Dusting off my WIP from this.

Updated

4 years ago
Duplicate of this bug: 1197584
Assignee: clokep → qheaden
Spoke with @clokep in IRC, and I agreed to look at this issue.
Assignee: qheaden → nobody
Status: ASSIGNED → NEW
Duplicate of this bug: 1471945

Comment 11

11 months ago
Patrick, thanks for your comments over at #1471945 I'll respond here to try  to keep the discussion in one location.

> Using the "serverPassword" preference is done on purpose. Most people want to use the password they type in to identify themself to services (not as a server password). We want this to be done via SASL mechanisms, instead of using the PASS command because it is more secure. Because of this, we separated out when PASS is sent to a separate preference that should not be needed most of the time!

> What server are you trying to connect to that requires this? What is the "username" provided above? Is that your nick or the field to give for USER or something else?

Yes, it's the value for USER. I'm trying to connect to a ZNC bouncer. As it says in the FAQ:

https://wiki.znc.in/FAQ#Why_do_I_get_an_.22Incorrect_Password.22_every_time_I_connect_even_though_my_pass_is_correct.3F

"If you have decent IRC client, you can just use "username" (or "ident") field for username [...] and "server password" field for password."

Although the code is there referencing the "username" preference, it doesn't ever seem to get set and for me is always "thunderbi. I don't know whether it's the server or protocol that causes the truncation, but either way I cannot seem to set it through the GUI.

Having never looked at Thunderbird's code prior to trying this, it's not something I can fix without being pointed into the right direction for adding a masked field (though your patch above helps).

Alternatively, here's what I could do fairly easily:

1) Add the "username" box for ident.
2) Add a checkbox (or select box) for "Use password as Server Password" which, when ticked, sends the password to the server rather than using it for authing with nickserv.

    if (this.getBool("useServerPassword")) {
      this.sendMessage("PASS", this.imAccount.password,
                       "PASS <password not logged>");
    }




This would be easier to implement as most of the code is already there. It doesn't require a masked field or storing anything else in the password manager.


There are two potential issues with this approach:

1) You wouldn't be able to log in to the server and nickserv. Is this a problem? Are there any servers which have both nickserv authentication and server password authentication? I don't know.

2) Where is this.imAccount.password used for IRC at the moment? There's no reference to it in irc.js, but if it is used we'd  need to add the relevant if (!this.getBool("useServerPassword")) check to stop it being used however it's being used currently.


Is this checkbox and username preference approach something you'd be willing to consider? If so I can implement it fairly easily.
(In reply to Tom Butler from comment #11)
> Patrick, thanks for your comments over at #1471945 I'll respond here to try 
> to keep the discussion in one location.
> 
> > Using the "serverPassword" preference is done on purpose. Most people want to use the password they type in to identify themself to services (not as a server password). We want this to be done via SASL mechanisms, instead of using the PASS command because it is more secure. Because of this, we separated out when PASS is sent to a separate preference that should not be needed most of the time!
> 
> > What server are you trying to connect to that requires this? What is the "username" provided above? Is that your nick or the field to give for USER or something else?
> 
> Yes, it's the value for USER. I'm trying to connect to a ZNC bouncer. As it
> says in the FAQ:
> 
> https://wiki.znc.in/FAQ#Why_do_I_get_an_.22Incorrect_Password.
> 22_every_time_I_connect_even_though_my_pass_is_correct.3F
> 
> "If you have decent IRC client, you can just use "username" (or "ident")
> field for username [...] and "server password" field for password."
> 
> Although the code is there referencing the "username" preference, it doesn't
> ever seem to get set and for me is always "thunderbi. I don't know whether
> it's the server or protocol that causes the truncation, but either way I
> cannot seem to set it through the GUI.

The server truncates this, not Thunderbird. I had thought ZNC supported using SASL, but it doesn't seem to: https://github.com/znc/znc/issues/296

The username preference is a hidden preference (i.e. it purposefully isn't shown in the UI), see https://dxr.mozilla.org/comm-central/source/chat/protocols/irc/irc.js#877-887 Services.appinfo.name resolves to "Thunderbird". You can set it using the about:config editor.

> Alternatively, here's what I could do fairly easily:
> 
> 1) Add the "username" box for ident.
> 2) Add a checkbox (or select box) for "Use password as Server Password"
> which, when ticked, sends the password to the server rather than using it
> for authing with nickserv.

This is a potential solution. I think the main concern with it is that people will tick it off while not using a TLS connection, which means the password is being sent in plaintext over the Internet. We should protect users from making bad decisions.

> There are two potential issues with this approach:
> 
> 1) You wouldn't be able to log in to the server and nickserv. Is this a
> problem? Are there any servers which have both nickserv authentication and
> server password authentication? I don't know.

I also don't know if anyone does this, users could still set the serverPassword as now to do that though.

> 2) Where is this.imAccount.password used for IRC at the moment? There's no
> reference to it in irc.js, but if it is used we'd  need to add the relevant
> if (!this.getBool("useServerPassword")) check to stop it being used however
> it's being used currently.

It is used in the SASL exchange, see https://dxr.mozilla.org/comm-central/source/chat/protocols/irc/ircSASL.jsm

> Is this checkbox and username preference approach something you'd be willing
> to consider? If so I can implement it fairly easily.

I think it is something I'd be willing to consider. Frankly, I also wonder if we should just add a separate field for serverPassword that shows it in plaintext for now in the advanced options. It isn't ideal showing it in plaintext, but we do that for a few other places too.
(In reply to Tom Butler from comment #11)
> Yes, it's the value for USER. I'm trying to connect to a ZNC bouncer. As it
> says in the FAQ:
> 
> https://wiki.znc.in/FAQ#Why_do_I_get_an_.22Incorrect_Password.
> 22_every_time_I_connect_even_though_my_pass_is_correct.3F
> 
> "If you have decent IRC client, you can just use "username" (or "ident")
> field for username [...] and "server password" field for password."

Thunderbird can connect to ZNC just fine without any modifications. You have to use a password of the form "user/network:password" and TB will automatically use that to connect. From what I can tell ZNC does not care about what you enter as nick.

Comment 14

11 months ago
> Frankly, I also wonder if we should just add a separate field for serverPassword that shows it in plaintext for now in the advanced options. It isn't ideal showing it in plaintext, but we do that for a few other places too.

This might be a sensible stop-gap until masked fields are supported. You still have the issue of potentially sending the password over the internet in plaintext though. But we have that already, it's just harder to achieve.

You can't connect to ZNC through the GUI options alone. You have to manually set the serverPassword preference. 

And, as a more complete IRC client it would be better if you could specify the username as its own field as you can with most other IRC clients.

At minimum the documentation for this needs improving. I couldn't find any way to achieve this and ended up digging through the code to see what was happening.
(In reply to Tom Butler from comment #14)
> You can't connect to ZNC through the GUI options alone. You have to manually
> set the serverPassword preference.

Again, ZNC should just work: https://dxr.mozilla.org/comm-central/source/chat/protocols/irc/ircNonStandard.jsm#57

If that doesn't work with your version of ZNC the rule for when to execute that probably needs to change.

Comment 16

11 months ago
The server I'm using does send "*** You need to send your password." but it doesn't allow me to connect. I will have to play around and see why it's not working.

Comment 17

7 months ago
Any movement on this? This seems like something that we should finally get knocked out.
Flags: needinfo?(clokep)
Tom, I'd be curious to know what version of ZNC you're using. This should Just Work with ZNC.

Ryan, no there's no movement on this.
Flags: needinfo?(clokep)
Comment hidden (advocacy)

Comment 20

6 months ago
> Frankly, I also wonder if we should just add a separate field for serverPassword that shows it in plaintext for now in the advanced options. It isn't ideal showing it in plaintext, but we do that for a few other places too.

I don't see the problem here and agree with your sentiment about just showing it in plaintext in the advanced options. This feature is important for folks that need it and if someone has access to your box and is looking in advanced settings for your bouncer in TB, you have other pressing, serious, security risks.
You need to log in before you can comment on or make changes to this bug.