Global ID and md5 authentication
Global ID and md5 authentication
can anyone confirm md5 authentication with empty prefix and suffix is working? I tried several combinations and was unable to make it work. I could authenticate however when prefix is not empty, so I guess my code is not wrong (it is copied from the http auth). It was just that I always get PASSWORD_FAIL when trying to authenticate users using md5 and prefix is empty.
Re: Global ID and md5 authentication
Steps to reproduce the problem..
Get the authentication reference implementation (there is a copy here http://moosnet.homelinux.net/armaauth/0.1/index.php)
put (as index.php) into http://X/armaauth/0.1/index.php
Try to authenticate user test@X with password 'password'.
Go to GetPrefix(), replace %u:aaauth: prefix string with "" (or with '', better).
Try to login again..
Get the authentication reference implementation (there is a copy here http://moosnet.homelinux.net/armaauth/0.1/index.php)
put (as index.php) into http://X/armaauth/0.1/index.php
Try to authenticate user test@X with password 'password'.
Go to GetPrefix(), replace %u:aaauth: prefix string with "" (or with '', better).
Try to login again..
- Tank Program
- Forum & Project Admin, PhD
- Posts: 6711
- Joined: Thu Dec 18, 2003 7:03 pm
Re: Global ID and md5 authentication
Have you looked at the newer implementation on launchpad?
Re: Global ID and md5 authentication
Thanks tank program. I did try with the latest version of the script, and also tried with my own implementation following the same authentication logic. I did found that 2.8.3 and 3 series of the game performs different on global id authentication. I guess it is something in the client, but I can't be sure.
When using a 3 version server, the path in the URL of the authority is ignored, so if you try to login using [email protected]/path, the server tries to find the folder host.com/armaauth/1.0/ . Using a 2.8.3 server this does not fail.
Anyway, when using empty prefix, this is the request I do get in my server..
http://localhost.int/aad6/armaauth/0.1? ... 1c801ce0c0
So, being 'password' the password string and not using prefix, neither suffix, according the the authentication logic, we should compute this as:
$computedHash = md5( pack("H*", 'password') . pack("H*", $salt) );
Client submitted hash: ae67adc53e1838828c04801c801ce0c0
Our computed hash: ad07d70b301e951c4869dd0a1bdd28cb
I've done several tests with empty prefix, I tried with NULL, '', "", no luck. I've to say, that I'm testing this on windows (all : client, server and php).
When using a 3 version server, the path in the URL of the authority is ignored, so if you try to login using [email protected]/path, the server tries to find the folder host.com/armaauth/1.0/ . Using a 2.8.3 server this does not fail.
Anyway, when using empty prefix, this is the request I do get in my server..
http://localhost.int/aad6/armaauth/0.1? ... 1c801ce0c0
So, being 'password' the password string and not using prefix, neither suffix, according the the authentication logic, we should compute this as:
$computedHash = md5( pack("H*", 'password') . pack("H*", $salt) );
Client submitted hash: ae67adc53e1838828c04801c801ce0c0
Our computed hash: ad07d70b301e951c4869dd0a1bdd28cb
I've done several tests with empty prefix, I tried with NULL, '', "", no luck. I've to say, that I'm testing this on windows (all : client, server and php).
- Tank Program
- Forum & Project Admin, PhD
- Posts: 6711
- Joined: Thu Dec 18, 2003 7:03 pm
Re: Global ID and md5 authentication
I can't tell from your code clips, but the packed password you're using should be the packed md5sum password. One of the big things between 0.2.x clients and 0.3 clients would be the bmd5 method. That's md5ing 0x00.'password' rather than just 'password'.
-
- Adjust Outside Corner Grinder
- Posts: 2003
- Joined: Tue Nov 07, 2006 6:02 pm
- Location: paris
- Contact:
Re: Global ID and md5 authentication
er, it's the other way around:Tank Program wrote:That's md5ing 0x00.'password' rather than just 'password'.
Code: Select all
'password'.char(0)
Re: Global ID and md5 authentication
I got the same problem, has anyone solved it yet? I tried with and without pre/suffix and always get different hashes from server <-> client.
Re: Global ID and md5 authentication
Thanks for your quick reply
In the bug report ilo wrote:
In the bug report ilo wrote:
But for me even this doesnt work. Just to make sure that I am doing it right. I choose my password "test". In the config.php I define the prefix "123". I store md5("123test") in my DB and should be able to log in with user Jip and password test. Is that right?When using any string for prefix this fail doesn't happen. I've tested with variations of suffix, and it is working in all cases.
Re: Global ID and md5 authentication
Sorry for double post just wanted to bring this up again...
Has nobody an idea why the stuff is not working for me? Would be very helpfull
If its helpfull I can post the generated hashes from client and auth server...
I am using this script: http://bazaar.launchpad.net/~armagetron ... ork/files/ maybe there is a newer version?
Has nobody an idea why the stuff is not working for me? Would be very helpfull
If its helpfull I can post the generated hashes from client and auth server...
I am using this script: http://bazaar.launchpad.net/~armagetron ... ork/files/ maybe there is a newer version?
-
- Adjust Outside Corner Grinder
- Posts: 2003
- Joined: Tue Nov 07, 2006 6:02 pm
- Location: paris
- Contact:
Re: Global ID and md5 authentication
That is always the latest stuff, but I can't help you if you don't tell me what's the problem.
- Infa(mous)
- Round Winner
- Posts: 255
- Joined: Thu Aug 14, 2008 11:27 pm
Re: Global ID and md5 authentication
The problem is that we don't understand the md5 hashing logic. How should the hash go? md5(username . password)? Something more complex?
-Infamous
-
- Adjust Outside Corner Grinder
- Posts: 2003
- Joined: Tue Nov 07, 2006 6:02 pm
- Location: paris
- Contact:
Re: Global ID and md5 authentication
Code: Select all
md5( prefix . clear_password . suffix )
(If you use %u, that forces usernames to be case-sensitive)
- Infa(mous)
- Round Winner
- Posts: 255
- Joined: Thu Aug 14, 2008 11:27 pm
Re: Global ID and md5 authentication
So it would be md5( clear_password ) with no prefix and suffix? Or would it be md5 ( username . clear_password . username )?
-Infamous
Re: Global ID and md5 authentication
For empty prefix and suffix, it would be md5( password ). But you need to know that not incuding %u in either suffix or prefix makes your passwords more vulnerable to rainbow table type attacks (if your database gets into the wrong hands). Of course, you don't need the cleartext password to log in, just said md5 hash, so if your database gets stolen, you have that to worry about.