Thursday, April 19, 2012

Case Study: EucaSchool Part 3 - Setting up an IRCd

In my last post I detailed using screen as a teaching tool.  In this post I will go over using IRC to augment the demonstration with lecture/Q-and-A sessions and using a bot to record your sessions.  This post will deal specifically with setting up your own IRC service.


Since this is in parallel with EucaSchool, I should say that we don't use our own IRC server for EucaSchool.  We use Freenode.net.  You can join us in our channels there: #eucalyptus for general support on Eucalyptus or to say hi, #eucalyptus-classroom for EucaSchool and other training sessions, and #eucalyptus-meeting where we hold our community meetings.  If you're going to use a public IRC server already in existence then you can skip ahead to the section about configuring your meeting bot.

That said some people would prefer to keep their sessions on their own services for various reasons.  If you would, then I'd suggest checking out what IRC daemon software is out there and which fits you.  This tutorial will focus on ngIRCd.  When finished, you will have an SSL-enabled IRC server that forces authentication of users against Pam on the local system and only has rooms predefined for your sessions.

Firstly, let's compile and install the daemon.  If your linux distribution has a new enough version of ngIRCd in the package repositories (I'd recommend ngIRCd version 16 or greater) you can use a package install either with your package manager (apt/yum/zypper) or download the packages here.  If not you can follow the ngIRCd documentation to compile and install.  Since I was using Ubuntu 10.04 LTS (which has an older version of ngIRCd in the repository), I chose to compile and install.

wget http://ngircd.barton.de/pub/ngircd/ngircd-19.1.tar.gz
tar xvzf ngircd-19.1.tar.gz
cd ngircd-19.1
CFLAGS=-static ./configure --with-pam --with-openssl
make
make install

Assuming you had the needed package dependencies (and it will tell you which ones you don't have when it errors out) it should now be installed in /usr/local/sbin/. Now let's generate and place the ssl certs we'll use.  This will have you set a password for the key file.  Remember that for later use in the configs.

mkdir -p /path/to/ssl
cd /path/to/ssl
openssl req -newkey rsa:2048 -x509 -keyout server-key.pem -out server-cert.pem -days 1461
openssl dhparam -2 -out dhparams.pem 4096

And now let's populate our config file for ngircd itself. if you've installed via package, you'll want to edit /etc/ngircd/ngircd.conf however if you followed my instructions above, the config file will be in /usr/local/etc/.  Here is an example conf file that sets paths to the SSL cert/key as well as limits the users to Pam authentication and only provides a single room:

[Global]
    Name = irc.yourserver.com
    AdminInfo1 = Description
    AdminInfo2 = Location
    AdminEMail = you@youremail.com
    Info = Server Info Text
    MotdPhrase = "Hello and welcome to our IRC server."
    ServerGID = nogroup
    ServerUID = ngircd
[Limits]
    MaxConnections = 50
    MaxJoins = 5
[Options]
    ChrootDir = /var/empty
    CloakUserToNick = yes
    DNS = yes
    Ident = no
    MorePrivacy = yes
    PAM = yes
    PredefChannelsOnly = yes
    RequireAuthPing = no
[Operator]
    Name = root
    Password = opspwd
[Channel]
    Name = #lessons
    Topic = Only room on this server
    Modes = tnk
[SSL]
    CertFile = /path/to/ssl/server-cert.pem
    DHFile = /path/to/ssl/dhparams.pem
    KeyFile = /path/to/ssl/server-key.pem
    KeyFilePassword = secret
    Ports = 6697

If you compiled from source, now is a good time to write a script for /etc/init.d to start/stop this service. You should now have a functioning IRCd that only allows one room for learning, requires Pam authentication and uses SSL.  Because we've set the user authentication to point to Pam, you can now use local system accounts, NIS or LDAP for your user management.

In the next post I will demonstrate how to get a working meeting bot up and running in your newly created IRC learning channel.