Nickserv Access List Help Document
by Quentinus / 9 February 1996
Updated by Surel / 1 July 2000
E-mail any comments to docs@dal.net
This file is Copyright (C) by the DALnet IRC Network.
Introduction
This guide explains the way to control exactly how and in what circumstances you and others can use your nickname(s) on DALnet. The "control" I mentioned is provided to you by a NickServ feature known as the "access list" or by identifying to NickServ with your password each time you log on.
If you haven't already chosen and registered your nickname with NickServ, you should first do that - read Question 1.2 "How do I register my nick?" of the Services FAQ before continuing with this.
Finally, two brief notes - whenever I give a command to type such as
/nickserv identify <password>
The command should be typed as it it shown, *except* that you should replace anything in angle brackets <> with the appropriate piece of information. You shouldn't include the <>. For instance, in the above example, if your password was "apple", you would actually type
/nickserv identify apple
When commands say /nickserv or /chanserv that is an ircd alias to message the service securely. If your client does not understand the command you can either use /quote nickserv format or /msg nickserv. However messaging the services directly is less secure because of the possibility of typos or sending commands to a user using that nick if you use them on another network, so only use that format if you have to.
Contents
1. Why you need to know this information
2. What nickname access lists are
3. How to change your nickname access list
4. The pros and cons of having address masks in your access lists
5. Hostnames and usernames explained
6. Address masks explained
Exact addresses
Wildcards
7. How to choose a correct mask for yourself
8. Numeric hostnames
9. Things to remember and security advice
10.Summary
1. Why you need to know this information
DALnet encourages you to read this guide because:
If NickServ always asks you for your password and you get fed up with this, you CAN fix it, and this explains how.
If this isn't the case, it's entirely possible that some others who really wanted to could use your nickname. Even if you're not paranoid about other people "pretending to be you", consider that they could get *you* in trouble by misbehaving in some way with your nickname.
If your access mask is "too wide" and allows other users access, this could give them access to "your" rights on channels which you are AOP, SOP, or founder on.
A summary can be found in section 10, which briefly explains how to get a "correct" access list in most cases.
2. What nickname access lists are
A nickname access list is a list of addresses from which you are recognised as the authorised user of a nickname, without needing to manually send a password. These can be exact addresses or "masks" that match a range of addresses.
There are several ways in which a user may be "allowed" to use a registered nickname.
In order to explain these, here's a summary of what happens when you log on, or change to nickname.
1. NickServ checks if the nick is registered. If not, then it takes no further action (i.e. you can use the nick).
2. NickServ checks if you have a username and hostname that matches one of those stored in the access list for that nick. (The username and hostname is the "something@somewhere.com" part of the information you get by typing /whois.) If there is such a match, then you are considered a valid user of the nickname, and NickServ takes no further action.
3. NickServ sends a warning explaining that if this is your nick, you should use the "/msg nickserv identify <password>" command. At this point, you do not have access to memos, channels, AOP rights, etc.
4. If nickname enforce is set on, NickServ changes your nick to a guest nick 60 seconds later, unless password identification is sent (see 5, below). If nickname enforce is off, you are allowed to keep using the nick, with the same restrictions on access just explained. (For information about setting ENFORCE on for your nicks, see the Services FAQ question 1.3 "How do I stop others from using my registered nickname?")
5. If a you types the "/nickserv identify <password>" command you get full rights to the nick as soon as it is accepted.
That was a little bit complicated, so here's another brief look at it from a slightly different perspective; a person may be using a registered nickname if:
1. Their address [username and hostname] matches one in the access list.
2. They sent the manual "/nickserv identify <password>" command.
3. Enforce is set off for the nick
4. Enforce is set on [in this case they can use it only for 60 seconds]
(Only in 1 and 2 is the person seen as the "valid owner" of the nickname, with access to memos, to view nickname settings, and to any channel privileges there might be for that nickname. Changing nickname settings always requires password identification, case 2.)
You can see by this that the "access list" is used for convenience, so that as long as you continue to use the same Internet service provider you won't normally need to type in the password each time you use your nickname.
3. How to change your nickname access list
Here are the commands for manipulating your access list. Before you use any of them, you should change to the appropriate nickname. You will also need to identify for the nick (/nickserv identify <password>) before you can do the ADD or DEL commands.
After you type any of these commands, NickServ will respond to show you the results or confirm that your command worked.
If there is no response, NickServ is probably lagged, so please be patient. If there is a message like "nickserv - no such nick/channel" or "Services is currently down. Please wait a few moments, and then try again." then NickServ is probably not working at the moment; try again later.
/nickserv access list
Typing this command will show you the current access list
/nickserv access add <mask>
Typing this command - replacing the word "<mask>" with an actual mask - will add an "address mask" (see later) to the list so that people matching that mask will be able to use the nickname without identifying.
/nickserv access del <mask>
If an "address mask" is inappropriate, insecure, or no longer required, you can remove it from the list using this command.
4. The pros and cons of having address masks in your access list
There are security advantages to clearing the access list, which means that you must always give NickServ the password so as to use the nick. Therefore, if the security of your nick is more important to you than convenience, this is the action you should take.
Note that even if somebody else *does* manage to use your nickname due to the access list, they still can't access any of the critical commands such as dropping the registration or changing the password. All of those require you to identify with the password first.
However, if someone gets access in this way they *will* be able to read your memos and send memos using your name, as well as gaining access to any rights you may have on channels (AOPs, SOPs, etc). They can also register channels in your name.
If you decide your nickname needs to be secure, the rest of this section explains how to clear your access list. Otherwise, you should skip to the next section. All the other sections from now on assume you *are* going to use the access list.
To clear your access mask list, do the following:
1. Type /nickserv identify <password>
(where "<password>" is the password for your nick)
2. Type /msg nickserv access wipe
Once you have cleared your access list, you are going to need to identify with NickServ each time you log on to DALnet. To do this, you type:
/nickserv identify <password>
Do not create auto-identify scripts. It is easy to accidentally log onto another network, and forget that you had the auto-identify script on. On the other network, there may well be a user calling themselves NickServ specifically to steal passwords. Depending on your script, your password may go to them. Another problem is you may share your script with friends and forget to edit out the password. This is a real danger and has happened to dozens of DALnet users.
If you've cleared your access list, there's not much point reading the rest of this document, as it assumes you decided to use the access list.
5. Hostnames and usernames explained
In choosing a mask for yourself, the first thing to do is, while online, to run a /whois on yourself, and look at the results. You should see something like:
YourNick is ~user@009-443.provider.com * Your Silly Message
[etc]
or perhaps like:
*** YourNick is ~user@009-443.provider.com (Your Silly Message)
The important part is the ~user@009-443.provider.com part, which you should be able to see whatever format your IRC program uses. We'll take a closer look at the various parts of this.
| If your result looks like ~user@124.45.230.123 - i.e. four numbers
| and no words in the "hostname" part, please see section 7 in this guide.
1. The username
The username part of the above address is "~user". In fact, this itself divides into two parts - the "~" which indicates you don't have an ident server, and the "user" which is the actual username.
Unless you're using a Unix or VMS computer system such as some university systems, or you use one of a few particular service providers, it's likely that you can change your username to anything you like. [Note: mIRC calls the username 'email address'.]
In the example I gave, the person hasn't changed their username from the default of the program they use, which happens to be "user". This is very common, but is not a particularly sensible idea. You should pick some other username so that not everybody has the same one.
(When picking a username, you should probably choose your username or account name at your ISP, unless you want to keep your email address secret from other users. If you choose something different for that reason, make sure it is a single word using only letters and numbers; using other symbols could cause problems.)
If at this point you change your username, you'll need to disconnect from IRC and reconnect. (It's usually best to quit your IRC program and then reload.) Then do the /whois again.
You need to know your "username" to choose a correct mask.
2. The hostname
The above user's hostname is "009-443.provider.com". This indicates that they are using the Internet service provider "provider.com" (which I made up), and that they are currently using the machine or phoneline at that provider which is number 009-443.
This hostname is what's known as a "dynamic hostname". Dynamic hostnames include a number or similar code at the start, which is different each time you dial the provider to start an Internet session.
Some hostnames (for instance at a company or institution) may be "static" - that is, each time you start an Internet session, you'll have exactly the same hostname. You can find out which you are by trial and error, but a general rule of thumb is that if your internet access comes by dialing up on an ordinary domestic phone line, you probably have a dynamic hostname. Dynamic hostnames always have a number or odd code at the start; static hostnames normally are just words, but might include numbers also.
Here are some examples of static hostnames:
spelt-lib.demon.co.uk
altair.dur.ac.uk
quilt.usn.blaze.net.au
puree.ugcs.caltech.edu
And here are some dynamic hostnames:
ppp96.sagelink.net
one-pm30.norwich.net
ip022.phx.primenet.com
pc38.bgmoess-klu.ac.at
Just to confuse, static hostnames can have numbers in them (e.g cm001-13.dur.ac.uk) - if in doubt, though, and it has a number, assume it's dynamic.
You need to know which type of hostname you have before you can choose a correct address mask.
6. Address masks explained
First, a quick note about what address masks do *not* include. They do not include the nickname portion *! that you might have seen in channel ban masks. They also must not include the ~ at the start of the username, which might be displayed in the /whois output. If you include either of these two things, it's likely that the mask will never work.
Address masks can be of two forms.
1.Exact.
For instance, an address mask could be:
peter@orion.dur.ac.uk
This mask would only allow people using the exact computer or phonelin "orion.dur.ac.uk", and whose username ("email" in mIRC) was set to "peter", to use the nickname without identifying.
2.Wildcards.
Wildcards are the * symbols you might see in address masks. A * symbol "matches" any number of characters (letters or numbers), even none at all.
For instance, "for*" would match "forest", "fortune", "for" - anything beginning with the three letters "for".
"*st" would match "forest", "best", "Bucharest" - anything ending with the two letters "st". "f*st" would match "forest", "frost", "fst", "fast" - anything beginning with "f" that also ends in "st". "f*s*t" would match "forest", "foresight", "frost" - anything that begins with "f", ends with "t", and has an "s" somewhere in the middle.
If you don't fully understand that, don't worry; such complex wildcards aren't usually needed to specify access masks.
A typical access mask with a wildcard might be:
CuteElf@*.netcom.com
This allows anybody whose username is set to CuteElf, and whose hostname ends in ".netcom.com", to access the nickname. (Since every Netcom user's address ends in ".netcom.com", this is not a very secure access mask.)
7. How to choose a correct mask for yourself
So, you know your username and hostname, and whether the address is static or dynamic. What now?
If your hostname is numeric - a set of 4 numbers, instead of "words" - you should now look at section 8, which explains how to deal with this situation - these hostnames work differently from the normal type.
* If you have a static address
The correct access mask for you in this case is:
username@hostname
For instance, in the unlikely event that the example I gave was a
static address, the correct access mask would be:
user@009-443.provider.com
* If you have a dynamic address
Things are slightly more complicated here. You basically need to replace the part of the hostname that changes each time with a *:
username@*.part-of-hostname-that-doesn't-change
For instance, a good mask for the above example would be:
user@*.provider.com
If the 009 was always the same every time that user dialed up, and only
the 443 changed, then an even better mask would be:
user@009-*.provider.com
8. Numeric hostnames
Sometimes the hostname part of your address may appear not as a name:
username@A56.myprovider.com
but as a set of 4 numbers:
username@154.43.68.56
The set of numbers - also known as an "IP address" - is actually the "real" hostname. The name you see normally is simply an easier-to-read way of giving the number.
The reason why your hostname sometimes comes up as a number is usually lag between your service provider and the IRC server you're connecting to. In this case, the IRC server may not get a response to the "name lookup" within a reasonable time, so it falls back on using the number.
Assuming you normally get a name, if your hostname ends up being a number one time, the easiest solution is probably just to change server, or even reconnect to the *same* server. If you are using a server that's geographically near to you, it is unlikely that the "number" thing will happen often. You shouldn't add an IP address to your access list just because one time your hostname appeared as numbers.
If your hostname always or often comes up as numbers, you might want to add it to your access list. Numeric hostnames are simple to deal with in the context of an access mask.
As with standard "name" type hostnames, you need to determine whether your hostname is dynamic or static; if you already know that from the format of the "name" type hostname, then it will be the same for the numeric hostname. If you have a numeric hostname and don't know which type it is, the only sure way to check is to log in to your Internet provider several times and see if the last number (of the set of four) changes. You can assume that a dialup account will almost certainly have a dynamic hostname.
If you have a dynamic hostname, you need to:
/nickserv access add username@154.43.68.*
where the username and the first three numbers are the ones from your /whois, and the * replaces the last number.
If your address is static, simply include all four numbers instead of replacing the last one with a *. In my example, that would be:
/msg nickserv access add username@154.43.68.56
9. Things to remember and security advice
* If you want your nickname to be as secure as possible
Delete all the addresses from the access mask, and use the
/nickserv identify <password>
command every time you log on to DALnet. (See section 4 of this
guide.)
* If you have a static address
If you're one of the lucky few with a static address, you should have an access list consisting of your username@hostname and nothing else. The mask in the list shouldn't have any wildcards (* symbols) since your address is always exactly the same.
Delete any other masks that might be in the list.
Because your address is static, nobody else could have a matching address, so this is quite secure; it's unlikely others will be able to abuse your nickname.
* If you have a dynamic address
Most of us are stuck with dynamic IPs, unfortunately. The basic principle is to have only one mask in the list, which will "allow in" as few people as possible. Delete any other masks.
The mask should include your username, and as much of the hostname as possible (all of it that doesn't change). For instance, while I was using Netcom, my default mask that NickServ assigned me allowed anybody at Netcom to use my nickname. (Provided they changed their username to the one I was using at the time.) By looking at my hostname, I noticed that part of it referred to the dialup point I was using, and didn't change. So I replaced my access mask to include that as well, which meant that only those Netcom users who used the Seattle, WA dialup point would be able to use my nickname.
As you can see, when you have a dynamic IP, access masks almost always allow large groups of people the potential to use your nickname. If you're not satisfied with this, your only option is to delete all access masks from the list, and manually identify with NickServ every time you use DALnet.
Note that even if somebody else *does* manage to use your nickname due to the access list, they still can't get at any of the critical commands such as dropping the registration or changing the password. All of those require you to identify with the password first. However, if someone got access in this way they *will* be able to read your memos and send memos using your name, as well as access any channel privileges you might have.
* If you change Internet provider
In this case you'll need to add new, different masks for your new address. Don't forget to delete the old masks, assuming you're no longer going to be using the old account.
* If you have more than one Internet account
You may want to add several masks, for each of the accounts from which you use DALnet.
* Don't add "wide" access masks to your list
NEVER put *@* in your access list, or other access masks like *@*.net, *@*.com, *@*.uk, etc, which would let large numbers of people use your nick.
* Try to have as few access masks as possible
You should only need one access mask per account you use to IRC. Each access mask you include may reduce the security of your nickname slightly, so avoid having more than this minimum.
* If you have trouble with people trying to steal your nickname
Sometimes, if people are trying to steal your nick, you might want to add warnings to CSops (the only people who can retrieve channel and nickname passwords that might have been lost) so that they will know
you have been having problems with this, and will not give out the password to anyone.
You can do this with "fake" access masks that include warnings, for example:
ATTENTION@dont.give.out.my.pass.to.anyone
ATTENTION@only.send.my.password.by.email
However, you shouldn't add this kind of "fake" mask unless you know or strongly suspect that somebody is trying to steal your nickname. If you include these, clearly the CSop will not give out the password to anyone, even you.
If you add an "only send my password by email" mask, don't forget to specify your email address either in another access mask, or as a mailto: URL ("/msg nickserv help set url" for more information on
that).
10. Summary
Here's the quick way to get a "correct" access list in most cases.
1. Type /nickserv access list
2. Type /nickserv access wipe
If you want your nickname to be completely "secure", stop now, don't do any other commands. You'll have to use the "/nickserv identify <password>" command each time you log on to DALnet.
4. Type /whois YourNick (where you replace YourNick with your nick). The result should be:
YourNick is youruser@stupidnumber.hostname * Your silly message
If there was some stupid number there in the hostname (after the @ symbol) then you probably have a dynamic address:
5. Type /msg nickserv access add youruser@*.hostname
(replacing "youruser" and "hostname" with the actual values from the
/whois command.)
If there wasn't a number then you probably have a static address:
The result from /whois actually looked like:
YourNick is youruser@hostname
5. Type /msg nickserv access add youruser@hostname
(replacing "youruser" and "hostname" with the actual values)
6. That's it, you're done.
[End]
This guide was written by Quentinus, with editorial corrections and suggestions by Wizzu and Drakkar. If you want to send comments about this guide, please email them to docs@dal.net.
(If you'd like to contact me personally for some reason, I'm at Quentinus@dal.net or Quentinus on DALnet for memos etc.)
It was updated by Surel (surel@dal.net) on July 1, 2000
IRC: /server irc.dal.net 7000 (also port 6667)
The Info on WWW: http://www.dal.net
DALnet FTP site: ftp://ftp.dal.net
IRC Mailing lists: http://www.dal.net/documentation/lists.html
Network! Email: help@dal.net (help), docs@dal.net (help documents),
comments@dal.net (comments and suggestions)