Password authentication systems
neokosmos at gmail.com
neokosmos at gmail.com
Thu Aug 10 20:28:45 EDT 2006
Paul Rubin wrote:
> neokosmos at gmail.com writes:
> > I had considered the hmac module. The thing that bugs me about it is
> > that I'd have to keep this secret key around someplace accessible to
> > the server. Most likely, this means storing it in a file.
>
> Yeah, this issue is traditionally a nuisance, especially if the server
> has to restart itself after a crash. If you start the server
> manually, you can type in a passphrase.
Ah, yes, I see I failed to mention that I would like the server to at
least try and restart itself after a crash. Hence, my earlier
apprehension at using a stored secret key.
I realize that having the players communicate with the server via plain
telnet is a huge security hole. For a commercial server, I'd probably
do things differently, but, again, for a free game server, the idea is
to allow players with ordinary telnet or MUD clients to connect without
problems.
My goal is to keep user passwords as safe as possible, assuming someone
did decide to steal the password files. I'm willing to punt versus
attacks that will intercept the password between the player and the
server in order to allow the player to connect with a non-custom
client. This requirement might evolve in the future, but, for now,
that's how I'm envisioning things.
More information about the Python-list
mailing list