git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
ngircd
1
0
Fork 0
Files
Tree: cb189976ea
Branches Tags
ngircd
/
debian
/
ngircd.README.Debian

ngircd.README.Debian 2.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081 
  1. What's new in ngIRCd 18
    2. 

  2. =======================
    3. 

  3. 

  4. Generic
    5. 

  5. -------
    6. 

  6. For generic information, including the new names of configuration
    7. 

  7. variables, see /usr/share/doc/ngircd/INSTALL.gz
    8. 

  8. 

  9. Debian specific
    10. 

  10. ---------------
    11. 

  11. The configuration of the user and group ID ngIRCd runs as has
    12. 

  12. changed in ngircd 18-1. If you see messages like
    13. 

  13. 

  14.     Can't change group ID to 65534: Operation not permitted
    15. 

  15. 

  16. Change the lines
    17. 

  17. 

  18.     ;ServerUID = 65534
    19. 

  19.     ;ServerGID = 65534
    20. 

  20. 

  21. into
    22. 

  22. 

  23.     ServerGID = irc
    24. 

  24.     ServerUID = irc
    25. 

  25. 

  26. 

  27. TLS support
    28. 

  28. ===========
    29. 

  29. 

  30. Some things to take into account when configuring TLS/SSL support:
    31. 

  31. 

  32. * The irc user must be able to read the key file.
    33. 

  33. * ngIRCd will run without a DH parameters file but that's a bad idea.
    34. 

  34. * A certificate exchange requires restart.
    35. 

  35. 

  36. 

  37. Certificate location
    38. 

  38. --------------------
    39. 

  39. * If your certificate and key are for ngIRCd only: Simply place them in
    40. 

  40.   /etc/ngircd, set KeyFile and CertFile accordingly. To secure the key
    41. 

  41.   file (server.key):
    42. 

  42. 

  43.     chown irc:irc server.key
    44. 

  44.     chmod 600 server.key
    45. 

  45. 

  46. * If however you offer several TLS-based services that using the same
    47. 

  47.   certificate and key: Consider installing the ssl-cert package which
    48. 

  48.   provides the ssl-cert group. Place the certificate file (server.crt)
    49. 

  49.   in /etc/ssl/certs/ and the key file (server.key) in /etc/ssl/private/,
    50. 

  50.   and make sure ngIRCd can read it:
    51. 

  51. 

  52. 	chown root:ssl-cert /etc/ssl/private/server.key
    53. 

  53. 	chmod 640 /etc/ssl/private/server.key
    54. 

  54. 	adduser irc ssl-cert
    55. 

  55. 

  56.   Repeat the last step for all users that run a daemon providing TLS.
    57. 

  57. 

  58. 

  59. DH parameters file
    60. 

  60. ------------------
    61. 

  61. It is suggested to create a DH params file. If missing, ngIRCd will
    62. 

  62. create one on the fly but this will prolong each startup.
    63. 

  63. 

  64. To create that file:
    65. 

  65. 

  66. * using gnutls (from gnutls-cli package):
    67. 

  67. 

  68.     certtool --generate-dh-params --bits 2048 >/etc/ngircd/dhparams.pem
    69. 

  69. 

  70. * using openssl:
    71. 

  71. 

  72.     openssl dhparam -2 -out /etc/ngircd/dhparams.pem 2048
    73. 

  73. 

  74. This has to be done only once. Don't forget to enable the DHFile
    75. 

  75. setting in /etc/ngircd/ngircd.conf.
    76. 

  76. 

  77. 

  78. Certificate exchange
    79. 

  79. --------------------
    80. 

  80. Due to limitations of GnuTLS, a re-start of ngIRCd is required if the
    81. 

  81. certificates were changed. A reload is not sufficient.
    82.