I've put a patch for darkplaces in the tracker that adds the ability to have password protected servers:
http://sourceforge.net/tracker/index.php?func=detail&aid=2680922&group_id=81584&atid=563409
I haven't spent much time on this, so it's probably a bit rough around the edges, but the patch should give you the general idea, which is to have something along the lines of rcon_password. I have some QC code for the GUI, but it is not compatible with the join dialog in SVN. With the darkplaces modifications above, it should be possible to have a dialog box prompting for a password pop up when one is set on the server.
Are the net code modifications appropriate? Is there any interest in this feature?
Patch: password protected servers
Moderators: Nexuiz Moderators, Moderators
Patch: password protected servers
by mpo » Wed Mar 11, 2009 1:35 am
- mpo
- Newbie
- Posts: 3
- Joined: Tue Mar 10, 2009 11:09 pm
by divVerent » Wed Mar 11, 2009 6:50 am
Personally, I have absolutely no interest in this feature, as it's really not a good idea to do this in an open source game.
But as sv_public is forced 0, its harm should be limited.
I told you to fix the sv_public handling a bit, and I'll ask LordHavoc if he wants that feature in the engine.
Some other thing to consider: join_password is a cvar. This should rather be a second argument to the "connect" command, and only be used once. Also, the engine should catch the error message when trying to join a password protected server without password, and issue some fixed console command (so menu QC can, for example, catch it and show a password dialog). If it stays the current way, a server can easily be modified to catch the password of everyone that joins, if they forgot to unset it after joining a private server.
This would easily be fixed by using the join_password cvar only for the server (to check if someone is allowed to join), and by using an extra char joinpassword[SOMELENGTH] in the client static structure "cls". The "connect" command would copy its second argument into this, so connecting can use it. You'll need special care for the listen server then (e.g. you could always allow connections from the LOOPBACK netconnection, which should be easier to do than to make sure to send the right password over loopback).
But, apart from this issue you're going the right approach to implement this.
But as sv_public is forced 0, its harm should be limited.
I told you to fix the sv_public handling a bit, and I'll ask LordHavoc if he wants that feature in the engine.
Some other thing to consider: join_password is a cvar. This should rather be a second argument to the "connect" command, and only be used once. Also, the engine should catch the error message when trying to join a password protected server without password, and issue some fixed console command (so menu QC can, for example, catch it and show a password dialog). If it stays the current way, a server can easily be modified to catch the password of everyone that joins, if they forgot to unset it after joining a private server.
This would easily be fixed by using the join_password cvar only for the server (to check if someone is allowed to join), and by using an extra char joinpassword[SOMELENGTH] in the client static structure "cls". The "connect" command would copy its second argument into this, so connecting can use it. You'll need special care for the listen server then (e.g. you could always allow connections from the LOOPBACK netconnection, which should be easier to do than to make sure to send the right password over loopback).
But, apart from this issue you're going the right approach to implement this.
1. Open Notepad
2. Paste: ÿþMSMSMS
3. Save
4. Open the file in Notepad again
You can vary the number of "MS", so you can clearly see it's MS which is causing it.
2. Paste: ÿþMSMSMS
3. Save
4. Open the file in Notepad again
You can vary the number of "MS", so you can clearly see it's MS which is causing it.
- divVerent
- Site admin and keyboard killer
- Posts: 3809
- Joined: Thu Mar 02, 2006 4:46 pm
- Location: BRLOGENSHFEGLE
by tundramagi » Fri Mar 13, 2009 1:26 am
What is the point without full end-to-end encryption? Someone like me would gain access to a router near the last hop, and use ettercap with a gre tunnel to sniff the passwords off the line. Another thing a person like me might do would be to gain access to an unsecured computer on the same segment as the server and run an instance of ettercap on that computer to MitM "attack" the server and have it send all the data through the poisoning host (thus getting the passwords).
Now, if there was mere password-encryption a person like me's attack would be slightly more combersom: ettercap would be used to hijack an existing login.
After that surely a person like me would spam copy-pasta on the server, or just come on and REALLY piss you off by PLAYING A GAME!
What's your opinion of telnet btw?
Now, if there was mere password-encryption a person like me's attack would be slightly more combersom: ettercap would be used to hijack an existing login.
After that surely a person like me would spam copy-pasta on the server, or just come on and REALLY piss you off by PLAYING A GAME!
What's your opinion of telnet btw?
- tundramagi
- Forum addon
- Posts: 974
- Joined: Sun Jan 04, 2009 4:53 pm
by GreEn`mArine » Fri Mar 13, 2009 8:54 am
tundramagi wrote:What is the point without full end-to-end encryption? Someone like me would gain access to a router near the last hop, and use ettercap with a gre tunnel to sniff the passwords off the line. Another thing a person like me might do would be to gain access to an unsecured computer on the same segment as the server and run an instance of ettercap on that computer to MitM "attack" the server and have it send all the data through the poisoning host (thus getting the passwords).
Now, if there was mere password-encryption a person like me's attack would be slightly more combersom: ettercap would be used to hijack an existing login.
After that surely a person like me would spam copy-pasta on the server, or just come on and REALLY piss you off by PLAYING A GAME!
What's your opinion of telnet btw?
I see, you watched Hackers 1, 2 and 3 last night
?IRC quote:
[kojn] I've been coming a bit more recently
[kojn] she took it the dirty way
[kojn] I've been coming a bit more recently
[kojn] she took it the dirty way
- GreEn`mArine
- Forum addon
- Posts: 1509
- Joined: Tue Feb 28, 2006 9:33 pm
- Location: Germany
by mand1nga » Fri Mar 13, 2009 1:02 pm
tundramagi wrote:
What's your opinion of telnet btw?
We only need Darkplaces be able to make ascii output (like aalib) then we should be able to play Nexuiz over telnet, sshd or whenever people LIKE YOU get a remote shell
- mand1nga
- Alien trapper
- Posts: 321
- Joined: Mon May 12, 2008 12:19 am
by GreEn`mArine » Fri Mar 13, 2009 7:36 pm
I suggest that we make Nexuiz round-based then for better gameplay experience
IRC quote:
[kojn] I've been coming a bit more recently
[kojn] she took it the dirty way
[kojn] I've been coming a bit more recently
[kojn] she took it the dirty way
- GreEn`mArine
- Forum addon
- Posts: 1509
- Joined: Tue Feb 28, 2006 9:33 pm
- Location: Germany
by tundramagi » Sun Mar 15, 2009 5:19 am
GreEn`mArine wrote:I see, you watched Hackers 1, 2 and 3 last night
Hehheh, no I've just used ettercap a couple of times for... stuff.
- tundramagi
- Forum addon
- Posts: 974
- Joined: Sun Jan 04, 2009 4:53 pm
by Alien » Sun Mar 15, 2009 8:10 am
Firstly, how would you gain access to router/server? Break into ISP building/anyones house? I doubt so.
Sniff wireless or tape wires, maybe. But you would need this person location then.
This is just a game server account.
I'm up for implementing passwords. Having an ability does not mean everyone should/would use it. The most important thing is that would allow for better players stats tracking.
Sniff wireless or tape wires, maybe. But you would need this person location then.
This is just a game server account.
I'm up for implementing passwords. Having an ability does not mean everyone should/would use it. The most important thing is that would allow for better players stats tracking.
- Alien
- Forum addon
- Posts: 1212
- Joined: Tue Apr 22, 2008 7:12 am
by mpo » Sun Mar 15, 2009 11:05 am
They're per-server passwords, not user passwords, and I think tundramagi was kidding. Any shared password can be leaked out, as can the IP address of your 'private' server. That's why I think this has benefits over just setting sv_public to less than one. This has sunk to the bottom of my list of priorities for the moment, since I'm not certain there are enough people to support widespread use of it.
- mpo
- Newbie
- Posts: 3
- Joined: Tue Mar 10, 2009 11:09 pm
by tundramagi » Sun Mar 15, 2009 1:30 pm
Alien wrote:Firstly, how would you gain access to router/server? Break into ISP building/anyones house? I doubt so.
Sniff wireless or tape wires, maybe. But you would need this person location then.
This is just a game server account.
I'm up for implementing passwords. Having an ability does not mean everyone should/would use it. The most important thing is that would allow for better players stats tracking.
Default passwords, exploit scripts etc. You allready know what router the person's traffic goes through with a traceroute (also: you only need a computer on the same subnet as them, you don't need to have gained access to the router itself if one of the 100 or 200 (or more) of the other computers is an easier target). Go play with ettercap.sf.net (it's opensource) on your local subnet (or apt-get install ettercap). It's been around for a long time. You will discover that you don't need to break into someone's house to watch their traffic.
So, yea, passwords with out full encryption...
- tundramagi
- Forum addon
- Posts: 974
- Joined: Sun Jan 04, 2009 4:53 pm
Return to Nexuiz - Development
Who is online
Users browsing this forum: No registered users and 1 guest