logo logo

 Back to main page

The NWNX Community Forum

 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Authentication hooks (wishlist)
Goto page Previous  1, 2, 3, 4, 5  Next
 
Post new topic   Reply to topic    nwnx.org Forum Index -> General Discussion
View previous topic :: View next topic  
Author Message
FunkySwerve



Joined: 02 Jun 2005
Posts: 377

PostPosted: Tue Oct 14, 2008 3:19    Post subject: Reply with quote

Based on what Asparius told me in private, I can now say with fair certainty that CD key confirmation is NOT sufficient to stop a determined hacker. Looks like a password system of some kind is required.

Funky
Back to top
View user's profile Send private message
Disco



Joined: 06 Dec 2006
Posts: 152

PostPosted: Wed Oct 15, 2008 9:58    Post subject: Reply with quote

So, if I am correct you associate every character with the cdkey it was created with, right? How do you add the other keys? On account level?

Just interested, want to make something like this as well. The master server is driving our players crazy.

Mmm... I actually can do this already, I think! Every character we create has a key item, which has a name that starts with their cdkey.
Back to top
View user's profile Send private message
Asparius



Joined: 18 Sep 2007
Posts: 52

PostPosted: Wed Oct 15, 2008 11:21    Post subject: Reply with quote

Storing keys in database is much more reliable, I think.

In my system, player is able to 'lock' his account either by cdkey protection or password protection. If he chooses cdkey protection, he can choose adding next authorized cdkey, remove one of existing. When he uses password protection, he is set non commandable on enter, until he types proper password .
Back to top
View user's profile Send private message
Disco



Joined: 06 Dec 2006
Posts: 152

PostPosted: Wed Oct 15, 2008 11:28    Post subject: Reply with quote

Thanks. I want to keep it as simple as possible, so I doubt I'll use the password option.

How do you make sure that Player A doesn't enter player B's account and gives his own cdkey as an alternative option?
Back to top
View user's profile Send private message
virusman



Joined: 30 Jan 2005
Posts: 1020
Location: Russia

PostPosted: Wed Oct 15, 2008 11:30    Post subject: Reply with quote

He won't be able to log in without having player B's cdkey. Smile
Back to top
View user's profile Send private message Visit poster's website Yahoo Messenger
Disco



Joined: 06 Dec 2006
Posts: 152

PostPosted: Wed Oct 15, 2008 11:41    Post subject: Reply with quote

Alright, after being sent enough nwnkeys.ini files to be playing on different accounts all year round when I asked a player for his private key: how do you make sure a player knows his keys? Seems a silly question, but I know a lot of players don't have a clue about these things.
Back to top
View user's profile Send private message
Asparius



Joined: 18 Sep 2007
Posts: 52

PostPosted: Wed Oct 15, 2008 14:35    Post subject: Reply with quote

Player is instructed on enter: if he plays from his own copy of the game, he can set his key (the one he is currently playing) as a 'master' cdkey (all operations like lock/unlock, can be done only when playing from this key).

He can also create a password instead - when changing security settings he will need the password.

System is still in developement though Smile ..
Back to top
View user's profile Send private message
Zebranky



Joined: 04 Jun 2006
Posts: 415

PostPosted: Sat Oct 18, 2008 3:39    Post subject: Reply with quote

I'm skeptical that this login vulnerability exists. I've done a good amount of research into the NWN login protocol, to the point where I've implemented a client that can log into the server (though it doesn't handle anything after the login process). Unless a client is able to redirect the NWN server's communication to the master server elsewhere, I doubt there's a vulnerability when the MS is up. Specifically, the NWN server absolutely communicates to the MS and verifies both the "community name" credentials (GameSpy, whatever you want to call it) and the CD keys.

Of course, with the MS being spotty as PJ mentioned, some sort of authentication hooks would still be useful. I think Jambo stole my idea of replacing the server password with per-user passwords. Laughing
_________________
Win32 SVN builds: http://www.mercuric.net/nwn/nwnx/

<Fluffy-Kooshy> NWNx plugin is to this as nuclear warheads are to getting rid of fire ants.

<ThriWork> whenever I hear nwn extender, I think what does NWN need a penis extender for?
Back to top
View user's profile Send private message Visit poster's website
FunkySwerve



Joined: 02 Jun 2005
Posts: 377

PostPosted: Sat Oct 18, 2008 5:23    Post subject: Reply with quote

Zebranky PM'd me privately asking what the vulnerability was, and I told him no. I'm simply not going to discuss it - the fewer the people know, the better. If you don't want to believe it exists, so much the better. I will say that I confirmed it with acaos, however.

Funky
Back to top
View user's profile Send private message
Zebranky



Joined: 04 Jun 2006
Posts: 415

PostPosted: Sat Oct 18, 2008 6:27    Post subject: Reply with quote

That's not terribly comforting when I'm running a PW, and several other developers say, "hey, there's a major exploit, but we're not going to tell you what it is." Forgive me for not trusting in security through obscurity, but I've seen it defeated (and defeated it myself) too many times to put any faith in it.
_________________
Win32 SVN builds: http://www.mercuric.net/nwn/nwnx/

<Fluffy-Kooshy> NWNx plugin is to this as nuclear warheads are to getting rid of fire ants.

<ThriWork> whenever I hear nwn extender, I think what does NWN need a penis extender for?
Back to top
View user's profile Send private message Visit poster's website
Disco



Joined: 06 Dec 2006
Posts: 152

PostPosted: Sat Oct 18, 2008 10:12    Post subject: Reply with quote

I agree with Zeb, especially if he doesn't even ask you to post it. A player demonstrated it by taking a screenie of my own inventory, which was enough of an incentive to switch on authentication, but I have no clue how he did it. Didn't interst me a lot as I wasn't in charge of that kinda stuff at that moment.
Back to top
View user's profile Send private message
Jambo



Joined: 24 Sep 2008
Posts: 22

PostPosted: Sat Oct 18, 2008 13:02    Post subject: Reply with quote

Zebranky wrote:
I think Jambo stole my idea of replacing the server password with per-user passwords. Laughing


I admit, I heard it from you first. Very Happy It's be extremely useful to see, especially if the above exploit is possible or becomes more wide spread.
Back to top
View user's profile Send private message
FunkySwerve



Joined: 02 Jun 2005
Posts: 377

PostPosted: Sat Oct 18, 2008 17:22    Post subject: Reply with quote

Zebranky wrote:
That's not terribly comforting when I'm running a PW, and several other developers say, "hey, there's a major exploit, but we're not going to tell you what it is." Forgive me for not trusting in security through obscurity, but I've seen it defeated (and defeated it myself) too many times to put any faith in it.

No one is asking for your faith. The solution - passwording - has already been offered. And security through obscurity is the only thing that kept a number of crash exploits from being leaked to the community before patch 1.69. In fact, it's protecting ANOTHER such crash exploit as I type this. If you don't know the vulnerability, you can't exploit it, or spread knowledge of it. QED, 'security through obscurity', as you refer to it, works, has served the NWN community well in the past, and continues to do so. VMan and Acaos both know of the vulnerability, and I see no reason anyone else should, since no one has demonstrated greater mastery of the engine than they have. And to the rest of you posting, if you think I'd post it on this forum, which exploiters are known to frequent, I'd like some of what you're smoking, please.

Funky
Back to top
View user's profile Send private message
PlasmaJohn



Joined: 04 Mar 2005
Posts: 70
Location: The Garage

PostPosted: Sun Oct 19, 2008 16:01    Post subject: Reply with quote

FunkySwerve wrote:
The solution - passwording - has already been offered.

Passwording is a solution and probably the only long term one. But while the Master Server still functions, it has value: rebanning the 'tards means they have to acquire a new set of valid keys. This costs them between US$10-20. I've not seen any return after 3 bans.

Once the MS goes permanently offline, any keygen'ed key will work. Until that time I would prefer that the NWN server's MS query and response functions be hooked so that we can deal with the current situation.
Back to top
View user's profile Send private message
Jambo



Joined: 24 Sep 2008
Posts: 22

PostPosted: Sat Oct 25, 2008 0:14    Post subject: Reply with quote

Well before we all veer too far off with different ideas/directions for authentication methods...

What are the possibilities on us getting a plugin for the alternative authentication methods? Being able to hook the authentication methods to allow us to send things to a database rather than an ini file when the master server is down was already established as viable. If there was also a hook added so we can get actual password someone entered to connect to a server, that would be fantastic too.

Yet more master server issues today proved the need to really have something alternative, be it a way to have a unique server password for every user, tying it to CDKeys as FunkySwerve suggested, or a more efficient way to handle things during MS outage (for the reasons PlasmaJohn mentioned which still make the Master Server of some merit).

Being able to hook a few things regarding this offers every world a degree of flexibility for what suits their needs, though.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    nwnx.org Forum Index -> General Discussion All times are GMT + 2 Hours
Goto page Previous  1, 2, 3, 4, 5  Next
Page 2 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group