Per-Server authentication

flea · Post by **flea** » Fri Apr 28, 2006 7:02 pm

hey guys

i'd like to suggest a possible idea for future.

per-server authentication,

i realize that (especially for new players & occasional players) this would not be fun to go thru the hassle, but how about making it optional, (imagine Freenode irc) if the name is regd, then u have to identify (per-server of course) and i would suggest making a script that integrated to the ded that would read a [table] of whatever sorts.

my reason for this, a lot of punk-kids have too much time on their hands and [for whatever reason] like to use everyone else's name EVEN while the other person is IN the game. that of course makes poll'ing very confusing.

Website · Post by **Z-Man** » Sat Apr 29, 2006 10:11 am

Well, with just a little server modding, this would be possible today; all you need is a way to feed the server the MD5 hash of player passwords. The reason I'm reluctant to add it officially is that it would marry us to the krawall pasword query client side code. In the current state, we can remove it without notice, but as soon as there are servers out there using it, we'll have to keep it around.

Luke-Jr · Post by **Luke-Jr** » Sat Apr 29, 2006 12:01 pm

flea: you do realize we have plans for a proper global authentication system, right?

flea · Post by **flea** » Sat Apr 29, 2006 4:10 pm

Luke-Jr wrote:flea: you do realize we have plans for a proper global authentication system, right?

actually, sorry i didnt. for the moment, i havent the time to follow along (as i so wish i could)
awesome that it was planned already, i was truly just about to lose my mind with the pre-teen kiddie 'imposters' the day i posted it!

flea · Post by **flea** » Sat Apr 29, 2006 8:09 pm

z-man wrote:Well, with just a little server modding, this would be possible today; all you need is a way to feed the server the MD5 hash of player passwords. The reason I'm reluctant to add it officially is that it would marry us to the krawall pasword query client side code. In the current state, we can remove it without notice, but as soon as there are servers out there using it, we'll have to keep it around.

could a back-end be possible? this would make it be seperate from current distributions and could interface ONLY with the admin console?

ie: run a bot (imagine irc again i hate to say) that just watches server log, matches join-names & changed-names to the 'registered list' and if a match is found then if no 'authentication' is validated then the back-end will send a kick command thru the admin console.

the only thing i suppose would have to be implemented in this case is a prompt for 'identifiying' ones-self.

just a thought

flea · Post by **flea** » Sat Apr 29, 2006 8:12 pm

instead of changing current code to handle user authentication notice...
couldnt the 'back-end' send a pm to the user (via the admin console) that warns the user of the registered name.

also giving the user certain amount of time to id before the kick is initiated.

Luke-Jr · Post by **Luke-Jr** » Sun Apr 30, 2006 7:42 am

None of the proposed authentication schemes deal with registering usernames.

ed · Post by ed » Sun Apr 30, 2006 9:52 am

flea wrote:the only thing i suppose would have to be implemented in this case is a prompt for 'identifiying' ones-self.

not perfect. but if I write "/login eddie" on chat
where eddie isn't the admin pass, on my screen it say "Login Denied" (or similar), to the server logs is written:

[3] Remote admin login for user "-|ct|-ed-" using password "eddie" rejected.

Couldn't this be used for authentication?
A bit hacky, but should work. Could even link to a backend database of users, mysql or something and show how many times logged on, who failed to log on, etc.

If the server was set to AUTO_TEAM 0 (I think that's it) then it won't allow a player to join a team until authenticated - pehaps kick them if they try.

Luke-Jr · Post by **Luke-Jr** » Sun Apr 30, 2006 1:05 pm

Also note that the actual login process in all proposed authentication schemes never passes through the game server.

flea · Post by **flea** » Sun Apr 30, 2006 3:35 pm

Luke-Jr wrote:None of the proposed authentication schemes deal with registering usernames.

im not sure whats the official vote for this, but i was thinking as a per-server deal, the registering process would/should be handled by each server (php -> sql)

ed wrote:not perfect. but if I write "/login eddie" on chat
where eddie isn't the admin pass, on my screen it say "Login Denied" (or similar), to the server logs is written:

may seem really hackish,

what about (assuming i am username flea)
/msg flea identify pass
/msg flea <whatever command needs to be parsed by the log-viewer> (script)

im just thinking of possible scenarios that can be tried w/o forcing the client to be upgraded.

Walking Tree · Post by **Walking Tree** » Sun Apr 30, 2006 5:19 pm

I don't know if anyone has been thinking about scripting lately, but per-server authenthication could be handled by a server-side scripted bot, kind of à la IRC. Scriping would make it possible to change the rules on-the-fly - like from having to authenthicate to use registered names to being able to use a registration to get rid of imposters (IRC-style again)...
For global authenthication, the script would just query the master auth server instead of a local db.
Old clients would see it chatbot-style, new clients could support some auth-bot protocol which is not usedon older clients to display a more friendly password-entry.

flea · Post by **flea** » Sun Apr 30, 2006 5:38 pm

Walking Tree wrote:I don't know if anyone has been thinking about scripting lately, but per-server authenthication could be handled by a server-side scripted bot, kind of à la IRC. Scriping would make it possible to change the rules on-the-fly - like from having to authenthicate to use registered names to being able to use a registration to get rid of imposters (IRC-style again)...
For global authenthication, the script would just query the master auth server instead of a local db.
Old clients would see it chatbot-style, new clients could support some auth-bot protocol which is not usedon older clients to display a more friendly password-entry.

are we related? jk

Website · Post by **Z-Man** » Sun Apr 30, 2006 7:38 pm

Those are all great ideas, but scripting is still a way off, and it's really all quite hackish and, in the long term, goes into the wrong direction. There is already special client code (password query menus, sending the password securely to the server) so we wouldn't require chat hacks at all. The server can already verify the password, all that is missing is some code that tells the server what the password (resp. a specific MD5 hash thereof) should really be. It'd be terribly easy to add it and make good use of all the currently dormant code and it would make perfect sense now, but it does not fit into our final plans. Not at all. Please understand that.

Post by **Tank Program** » Sun Apr 30, 2006 9:34 pm

Also note the current system requires storing the passwords in plain text- hardly desirable for a long run setup.

Website · Post by **Z-Man** » Mon May 01, 2006 8:43 am

No, it requests the passwords as MD5 checksums. But that doesn't change what I said