Complete.Org: Mailing Lists: Archives: freeciv-dev: August 2001:
[Freeciv-Dev] MD5 password authentication and so on.

[Freeciv-Dev] MD5 password authentication and so on.

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]

To:	freeciv-dev@xxxxxxxxxxx
Subject:	[Freeciv-Dev] MD5 password authentication and so on.
From:	Vasco Alexandre Da Silva Costa <vasc@xxxxxxxxxxxxxx>
Date:	Tue, 21 Aug 2001 22:18:21 +0100 (WET DST)

Now there are two ways (from what i see) to implement this password
authentication thing. The easy way and the not so easy way.

=== easy way:
(used by several MUDs, MUSHes and good ye olde UNIX login).

The user gives a password and this is sent to the server in some form
(plaintext, crypt()ed or some misterious way). The password is stored in
an encrypted form.
When a user connects he sends the password in plaintext, the server checks
if it matches and all is well.

I guess this is what you use right now.

=== not so easy way:
(public key authentication, RSA or some other, using an authentication
server)

assuming the client knows beforehand the auth server's public key and IP
address and that these weren't tampered:

1) client asks for the server public key.
2) auth server replies with the server public key encrypted with the
   auth server private key so noone can modify it in transit.
3) server public key is decrypted by the client using the auth server
    public key.

4) client sends the server a message encrypted with the server public key
   containing its identifier and a stamp. only the server can decrypt this
   because only he knows the private key.

repeat 4) but from the server side (i.e. server authenticates client). The
server asks the client's public key to the auth server for this.

Now you have a secure channel. This protocol can also be attacked if
someone stores the communications and reuses the messages. This problem is
resolved using timestamps. Of course this requires having synchronized
clocks on all the machines participating in this (doh!).

There's also Kerberos (which also requires synchonized clocks) and several
other ways of doing authentication which vary in their security and
simplicity.


IMHO just use the easy way :-)

Since crypt() isn't very portable i guess freeciv should include a crypt()
implementation if you are going to use it. There is probably some
GPL or BSD code you can use for this. Try freshmeat.net :-)

---
Vasco Alexandre da Silva Costa @ Instituto Superior Tecnico, Lisboa

[Prev in Thread]

Current Thread

[Next in Thread]

[Freeciv-Dev] MD5 password authentication and so on., Vasco Alexandre Da Silva Costa <=
- [Freeciv-Dev] Re: MD5 password authentication and so on., Auth Gábor, 2001/08/21
  - [Freeciv-Dev] Re: MD5 password authentication and so on., Erik Sigra, 2001/08/21

Prev by Date: [Freeciv-Dev] Re: [PATCH] more small directional cleanups
Next by Date: [Freeciv-Dev] Re: MD5 password authentication and so on.
Previous by thread: [Freeciv-Dev] Re: [PATCH] more small directional cleanups
Next by thread: [Freeciv-Dev] Re: MD5 password authentication and so on.
Index(es):
- Date
- Thread