Complete.Org: Mailing Lists: Archives: freeciv-dev: August 2001:
[Freeciv-Dev] Re: Passwd auth with MD5 hash 		Home

[Freeciv-Dev] Re: Passwd auth with MD5 hash

[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: Trent Piepho <xyzzy@xxxxxxxxxxxxx>
Cc: Erik Sigra <sigra@xxxxxxx>, freeciv-dev@xxxxxxxxxxx
Subject: [Freeciv-Dev] Re: Passwd auth with MD5 hash
From: Paul Zastoupil <paulz@xxxxxxxxxxxx>
Date: Fri, 24 Aug 2001 08:27:04 -0700 
On Tue, Aug 21, 2001 at 12:45:16PM -0700, Trent Piepho wrote:
> On Tue, 21 Aug 2001, Erik Sigra wrote:
> > > It doesn't add anything if you can't trust the server admin, since he can
> > > just modify the server to tell him the password when you enter it.
> > 
> > Aren't passwords usually sent encrypted over networks? Then the server 
> > admin 
> > can not modify the server to tell him the password. I don't know how it was 
> > implemented in this patch, but if it is implemented at all then it should 
> > be 
> > this way.
> 
> Usually?  No, not usually.  But with ssh getting more common, cleartext
> passwords over the network are getting more rarer.  
> 
> Still, even with ssh I can trojan the sshd on the other end to get the
> password.  Sending the password encrypted does no good except against sniffing
> attacks since the server has to decode the password to check it.  If you want
> some scheme where the server never gets to know the password, you need to use
> a public key authentication scheme like RSA or Diffie-Hellman.
> 
> And I think that is WAY overboard for a game!

Actually I always thought that keys were the way to go for
civserver.freeciv.org.  You could keep your private key in your
.civclientrc and leave the public one on civserver.freeciv.org.

Once set up, all the authentication could be made transparent to
the user.

-- 
Paul Zastoupil
[Prev in Thread] Current Thread [Next in Thread]