Complete.Org: Mailing Lists: Archives: freeciv-dev: August 2001:
[Freeciv-Dev] Re: Passwd auth with MD5 hash 		Home

[Freeciv-Dev] Re: Passwd auth with MD5 hash

[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: Auth Gábor <franko@xxxxxxxxxxxxxxxx>
Cc: freeciv-dev@xxxxxxxxxxx
Subject: [Freeciv-Dev] Re: Passwd auth with MD5 hash
From: Trent Piepho <xyzzy@xxxxxxxxxxxxx>
Date: Tue, 21 Aug 2001 11:44:56 -0700 (PDT) 
On Tue, 21 Aug 2001, Auth Gábor wrote:
> >> [...] the owner of the save game file can always change the password
> >> or hack the server to not hash it, so it doesn't add any security.

> > It does in civserver.freeciv.org where password-based authentication
> > would be very nice, while the savegames are published on the website.

>   I try write usable password authentication to FreeCiv, because while
> my connection is closed, meanwhile other people can't join in my name...
>   DES or MD5 hash is very good for insecure usage, where I can't trust
> in the server admin. The MD5 hash can't explain, except brutal force. If

It doesn't add anything if you can't trust the server admin, since he can just
modify the server to tell him the password when you enter it.

But Reinier has a point, that if save games are made available to anyone then
you really need to keep the password hidden in the save game file.

Since crypt() isn't portable, there should be an autoconf check for it, and
platforms that don't have it can just not have password support.  It's only
really needed for public servers, which all run UNIX at this point.
[Prev in Thread] Current Thread [Next in Thread]