Password authentication systems
Paul Rubin
http
Thu Aug 10 19:32:05 EDT 2006
neokosmos at gmail.com writes:
> This is a password authentication system
> intended for a game server (a MUD/MMOG, in fact). The real limiting
> factor here is that I want to keep the server accessible via pure
> telnet protocol. Otherwise, using SSH would make sense.
If you're going to broadcast passwords in the clear over the network,
that's a pretty big leak as well, that obscuring the stored
server-side checksums won't help with. Will the game players use a
special client program? If yes, use SRP (http://srp.stanford.edu).
This has already been implemented in Python several times.
> I had considered the hmac module. The thing that bugs me about it is
> that I'd have to keep this secret key around someplace accessible to
> the server. Most likely, this means storing it in a file.
Yeah, this issue is traditionally a nuisance, especially if the server
has to restart itself after a crash. If you start the server
manually, you can type in a passphrase.
More information about the Python-list
mailing list