Krawall-based team management and admin logon

Luke-Jr · Post by **Luke-Jr** » Mon Jan 21, 2008 9:42 am

<?php 
$user = @$_GET['user'] . '';
$salt = @$_GET['salt'] . '';
$hash = @$_GET['hash'] . '';
$method = @$_GET['method'] . '';

$f = ($method == 'sha1') ? sha1 : md5;

// check whether user is in "database" 
if ($user != 'luke')
	die('UNKNOWN_USER');

$packedSalt = @pack("H*", $salt);

function checkPass($password) {
	global $packedSalt, $hash, $f;
	$packedPassword = @pack('H*', $password);
	$correctHash = $f($packedPassword . $packedSalt);
	if (strcasecmp($hash, $correctHash) === 0)
		die('PASSWORD_OK');
}

// fetch password from "database"
$realPassword = 'Fubar';
checkPass($f($realPassword));
if ($method != 'sha1')
	checkPass($f($realPassword . @pack('H*', '00')));

die('PASSWORD_FAIL');

Code: Select all

RewriteEngine On
RewriteRule	^(.*?)/?$	hashauth.php?method=$1&%{QUERY_STRING}

Post by **Tank Program** » Mon Jan 21, 2008 10:25 am

I've got it working with the forums database.

http://authentication.armagetronad.net/hashauth.php

Website · Post by **Z-Man** » Mon Jan 21, 2008 10:25 am

Luke-Jr wrote:Ok, maybe I was misunderstanding then... I thought z-man was implying the username was copied from the displayed name..

Well, it is, initially. Clients currently only know one name, so the screen name (filtered) is what is put into the login form. It can be edited, though. We should, of course, add another name field so that those who like to change screen names often don't have to reedit the login form every time, and so that they don't have to "/login <authority>" all of the time.

Luke-Jr wrote:Then when people run the wrong script?

That's for you to figure out

I don't know how your script stuff works. It should be easily detectable if the script for servers with authentication is run on a server without; you'll get names without @ from them. For the other kind of wrong script, we could let the server print authentication status messages; as soon as you get one of those from the non-authentication script, you know it's wrong.

Luke-Jr wrote:Also keep in mind you're breaking compatibility for a LOT of scripts and forcing them all to add this.

Breaking compatibility with a transition plan, mind you. I didn't say it wasn't work, but it is work that we will be done with. An untypeable character in all fully qualified user IDs that server admins either have to copy paste from somewhere or add to the keyboard configuration (which they can't always do because they're not on a computer they have control over) for the rest of arma's lifetime would be a lot worse.

Luke-Jr wrote:Edit: new approach: the fact that mangling will change is unavoidable
Can we get ladderlog to record the unmangled names when someone logins in or renames?

Yeah, that would be possible. But what are you going to do with the unmangled name? /me does not understand the plan.

Luke-Jr · Post by **Luke-Jr** » Mon Jan 21, 2008 10:36 am

z-man wrote:
Luke-Jr wrote:Ok, maybe I was misunderstanding then... I thought z-man was implying the username was copied from the displayed name..
Well, it is, initially. Clients currently only know one name, so the screen name (filtered) is what is put into the login form. It can be edited, though. We should, of course, add another name field so that those who like to change screen names often don't have to reedit the login form every time, and so that they don't have to "/login <authority>" all of the time.

Possible to have a default in player setup?

z-man wrote:
Luke-Jr wrote:Then when people run the wrong script?
That's for you to figure out I don't know how your script stuff works. It should be easily detectable if the script for servers with authentication is run on a server without; you'll get names without @ from them. For the other kind of wrong script, we could let the server print authentication status messages; as soon as you get one of those from the non-authentication script, you know it's wrong.

Currently, the ratings server is completely stateless.

z-man wrote:
Luke-Jr wrote:Also keep in mind you're breaking compatibility for a LOT of scripts and forcing them all to add this.
Breaking compatibility with a transition plan, mind you. I didn't say it wasn't work, but it is work that we will be done with. An untypeable character in all fully qualified user IDs that server admins either have to copy paste from somewhere or add to the keyboard configuration (which they can't always do because they're not on a computer they have control over) for the rest of arma's lifetime would be a lot worse.

1. Admin commands need standardization for player matching anyway. We can do some processing there.
2. We have control over keyboard input, I believe? In theory, we should be able to map Alt-R to ®...

But this discussion no longer has a purpose. Two typable characters are impossible to get with the current name mangling. The obvious one, a space, can't work because it is also the delimiter. However, zero is not a problem. So authenticated users could be mangled as, eg: 0:luke@dashjr.org
To ensure we are capable of more compatible mangling in the future, I propose the following restriction for the part following "0:":
Only a-z_+.1-9- characters are allowed, plus one @ to allow for the name/server seperation.

z-man wrote:
Luke-Jr wrote:Edit: new approach: the fact that mangling will change is unavoidable
Can we get ladderlog to record the unmangled names when someone logins in or renames?
Yeah, that would be possible. But what are you going to do with the unmangled name? /me does not understand the plan.

Throw it in the database for a start, and begin matching with it. TBH, the whole mangled username thing is just an inconvenience for me.

Post by **Tank Program** » Mon Jan 21, 2008 11:34 am

http://authentication.armagetronad.net/ ... hash=<hash>

Website · Post by **Z-Man** » Mon Jan 21, 2008 12:19 pm

Patch has been committed to branch 0.2.8-auth, branching from 0.2.8. Full svn URL:
https://armagetronad.svn.sourceforge.ne ... 0.2.8-auth

What Tank did not tell you is that he found a workaround for the broken md5 sum; every time you successfully log in here, the broken md5 sum of your password is added to the database, and the "bmd5" method checks it. So we have compatibility to old clients, woo!

Bugfarm Elimination Sumo has been updated to the branch, you can test stuff there. Just say "/login authentication.armagetronad.net". Not that you get anything apart from a login message. Just be sure you log out of the forum and log in again, so Tank's authentication script knows the correctly broken md5 sum.

Luke-Jr · Post by **Luke-Jr** » Mon Jan 21, 2008 1:42 pm

Made some modifications to my script. This one uses standard HTTP authentication headers (with our non-standard methods) and status codes (401 vs 200) while remaining backward compatible with the custom GET requests.

armaauth.php

Code: Select all

<?php
$auth = $_SERVER['HTTP_AUTHORIZATION'];
if (strncmp($auth, 'AA-Hash-', 8) === 0)
{
	$pos = strpos($auth, ' ');
	$_REQUEST['method'] = substr($auth, 8, $pos - 8);
	parse_str(substr($auth, $pos), $p);
	$GLOBALS['_REQUEST'] = $p + $GLOBALS['_REQUEST'];
}

$user = @$_REQUEST['user'];
$salt = @$_REQUEST['salt'] . '';
$hash = @$_REQUEST['hash'] . '';
$method = @$_REQUEST['method'] . '';

function conclude($statusCode, $msg) {
	header("Status: $statusCode $msg", true, $statusCode);
	if ($statusCode == 401)
		foreach (array(
			'bmd5',
			'md5',
			'sha1',
		) as $hash)
			header("WWW-Authenticate: AA-Hash-$hash realm=" . $_SERVER['HTTP_HOST'], false);
	die("$msg\n");
}

$f = ($method == 'sha1') ? sha1 : md5;

// check whether user is in "database" 
if ($user != 'test' || $_SERVER['HTTP_HOST'] != 'p.armagetronad.net')
	conclude(401, 'UNKNOWN_USER');

$packedSalt = @pack("H*", $salt);

function checkPass($password) {
	global $packedSalt, $hash, $f;
	$packedPassword = @pack('H*', $password);
	$correctHash = $f($packedPassword . $packedSalt);
	if (strcasecmp($hash, $correctHash) === 0)
		conclude(200, 'PASSWORD_OK');
}

// fetch password from "database"
$realPassword = 'test';
if ($method == 'bmd5')
	$realPassword = "$realPassword\0";
checkPass($f($realPassword));

conclude(401, 'PASSWORD_FAIL');

.htaccess

Code: Select all

RewriteEngine On
RewriteRule	^/?(armaauth|hashauth)(/(.*?))?/?$	armaauth.php?method=$3&%{QUERY_STRING} [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

HTTP request

Code: Select all

GET /armaauth HTTP/1.1
Host: p.armagetronad.net
Authorization: AA-Hash-md5 user=test&salt=&hash=

Edit: svn co https://armagetronad.svn.sourceforge.ne ... rver/trunk http-arma-server

Post by **Tank Program** » Mon Jan 21, 2008 4:34 pm

I've updated that with the code changes for hooking into MySQL databases. (It's what authentication.armagetronad.net is using now.)

Website · Post by **Z-Man** » Mon Jan 21, 2008 4:54 pm

Goody, will use that script on my moosnet test thing, too, and implement return code checking and proper error messages for the authenticating user. Are there any advantages for not putting the request data into the URL itself, apart from fanciness?

For those who missed the IRC discussion, the password hash transfer method that the current clients support has been named "bmd5" (b for broken), and a yet-to-be-fleshed-out replacement where a good md5 sum is taken is our "md5" authentication method. "sha1" should work the same way, just with sha1 hash functions.

I've got a simple idea how to eliminate the badmin problem for the good "md5" method: the client scrambles the salt as it is sent by the server with the server's IP and port before it enters the system. The server does the same before the salt is sent to the authentication server. Then the hash sent from the client to the badmin server is useless for authentication on any other server.

Technical difficulty here: how does the server know the IP the client knows it under? In the future, the client may connect over ip6 or ip4, and even now, the client may connect over LAN or the Internet. Servers with multiple IPs can keep them apart with "SERVER_IP ALL", but for servers behind a router, telling clients connecting over the LAN and over the internet are indistinguishable, as far as I can tell. And letting the client tell the server which IP it used to connect would subvert the scheme, naturally

We'd need the master server to inform the servers about their public IPs (no problem), and let the server determine its LAN IP with the SERVER_IP ALL method, and then the server needs to try all variants when talking to the authentication server.

Luke-Jr · Post by **Luke-Jr** » Mon Jan 21, 2008 5:38 pm

How about hashing the server name?

Post by **Tank Program** » Mon Jan 21, 2008 5:51 pm

Luke was pointing out that if authentication.armagetronad.net uses both the Forums and Wiki database, that potentially you could have two separate people using the same name, both able to login from the same authentication system. The same would apply to anyone using multiple databases with the auth server. Would it be possible to add a third parameter for database, that if not set would just have a default, and only use that. But if set, then use that database. So like... Z-man@authentication.armagetronad.net:wiki would use the wiki database but Z-man@authentication.armagetronad.net would use the forums, or whatever database was set to the default.

Luke-Jr · Post by **Luke-Jr** » Mon Jan 21, 2008 6:15 pm

Tank Program wrote:Luke was pointing out that if authentication.armagetronad.net uses both the Forums and Wiki database, that potentially you could have two separate people using the same name, both able to login from the same authentication system. The same would apply to anyone using multiple databases with the auth server. Would it be possible to add a third parameter for database, that if not set would just have a default, and only use that. But if set, then use that database. So like... Z-man@authentication.armagetronad.net:wiki would use the wiki database but Z-man@authentication.armagetronad.net would use the forums, or whatever database was set to the default.

At that point, might as well use the existing subdomains:

z-man@forums.armagetronad.net
z-man@wiki.armagetronad.net

Website · Post by **Z-Man** » Mon Jan 21, 2008 6:34 pm

Hashing the server name won't work; 1. If you custom connect, you don't know the server name, and 2. If I plan to steal logins for server X on my server, I'll name it X, too.

Luke-Jr wrote:At that point, might as well use the existing subdomains:

z-man@forums.armagetronad.net
z-man@wiki.armagetronad.net

Yeah

Luke-Jr · Post by **Luke-Jr** » Mon Jan 21, 2008 6:50 pm

z-man wrote:Hashing the server name won't work; 1. If you custom connect, you don't know the server name, and 2. If I plan to steal logins for server X on my server, I'll name it X, too.

So basically, we want to guarantee there's no man in the middle... Not happening with a cleartext protocol.

Post by **Lucifer** » Mon Jan 21, 2008 8:32 pm

I would suggest, tank, that we give serious thought to hacking mediawiki and phpbb to use this same authentication method.