indexwritings › irssi-connect

Irssi: Automatic identification to services

Most of these methods can be used for any IRC client, not just Irssi.

Using SASL

SASL is the most reliable method and always guarantees that you will be identified (or rejected) before sending any further commands – in fact, even before you show up as a user on the network. This may be important to people who use cloaks/vhosts to ensure privacy, or have their clients set up to join "registered-only" channels after connecting.

The irssi-connect page has instructions on setting up SASL for Irssi.

For client or bot developers, protocol documentation is available as the IRCv3 "sasl" extension.)

Using TLS client certificates

The TLS (SSL) protocol, in addition to verifying the server, allows the client to be authenticated using their own certificate as well.

Certificate authentication is supported by OFTC's IRC network (see their page on setting up CertFP) as well as Freenode (with almost identical instructions).

To create a self-signed certificate, you can use an openssl req command similar to:

openssl req \
    -new -x509 -days 3651 -extensions v3_req -newkey rsa:2048 -nodes \
    -subj "/CN=<login>" -out <filename>.cert -keyout <filename>.key

Implementation note: With the traditional "CertFP" method, networks check the certificate fingerprint automatically, but only do so after "registration" – that is, after you have already entered the IRC network – which does not guarantee that you'll be logged in before your client attempts to join restricted channels, or before someone runs a /whois on you. To avoid this, SASL should be used together with CertFP, using the EXTERNAL mechanism.

Using server password

IRC allows specifying a "server password" when connecting. Often it's used to access an I:line. For mere mortals who do not need such things but still send a password, the ircd usually (on most networks) forwards it to NickServ or a similar service.

With Irssi, it is used like this:

/server add -net Freenode -ssl 6697 <login>:<password>
/server add -net Foonetic -ssl 6697 <password>

(See also: Connecting to multiple networks)

On most networks, if the user doesn't match any I:line, the password is sent as a PRIVMSG to NickServ, so there still is the same race condition as with autocommands (below).

Using autocommands

Add a new network and specify a command to be sent automatically upon connecting:

/network add -autosendcmd "^msg NickServ identify <password>; wait 2000" Foonetic

This can be easily adapted to any services package out there, but it cannot guarantee that NickServ will receive your message before you (auto-)join channels. For vhost/cloak users, this is a potential privacy issue.


QuakeNet's Q accepts neither SASL nor server password. It does work just fine with an autocommand, but if you care about security you probably will not want to use that. The Q bot supports challenge/response authentication, and I have a script for it.