[Home] [Downloads] [Search] [Help/forum]

Gammon Software Solutions forum

See www.mushclient.com/spam for dealing with forum spam. Please read the MUSHclient FAQ!

[Folder]  Entire forum
-> [Folder]  SMAUG
. -> [Folder]  SMAUG coding
. . -> [Subject]  Unsettling problem with DBSC2.5.2... password issues
Home  |  Users  |  Search  |  FAQ
Username:
Register forum user name
Password:
Forgotten password?
(New message)
Subject: Unsettling problem with DBSC2.5.2... password issues
Name:
Your forum user name.
Register forum user name
Password:
Your forum password.
Forgotten password?
Message:
Message to be posted (in English, please).
Forum codes:
Check this if your message uses 'forum codes' or templates (auto-detected for new posts).
Forum codes Templates

Save this message ...

Subject review (reverse sequence)

Posted by Volk   (5 posts)  [Biography] bio
Date Tue 13 Mar 2007 04:04 AM (UTC)  quote  ]
Message
Possibly, I haven't seen or spokent to him for a while now.. We ended up putting in sha-256 ourselves anyway, it's not too hard.

Probably the best bet is if your pfiles are all unencrypted now anyway, just remove the code and set up the sha-256 snippet?
[Go to top] top
Posted by Samson   USA  (683 posts)  [Biography] bio
Date Thu 08 Mar 2007 04:50 PM (UTC)  quote  ]
Message
All I know is the excerpt I posted earlier came from the copy of 2.5 I have lying about and uploaded to MudBytes. Maybe Goku converted to sha256 before shutting down?
SmaugMuds.org: http://www.smaugmuds.org - The Smaug MUDs Community Center

"The past was erased, the erasure was forgotten, the lie became truth." -- George Orwell, 1984
[Go to top] top
Posted by Volk   (5 posts)  [Biography] bio
Date Thu 08 Mar 2007 10:47 AM (UTC)  quote  ]
Message
I know this is a month old or so, but i'm pretty sure Goku as of DBSC 2.5 was using MD5 for encryption. :)
[Go to top] top
Posted by Samson   USA  (683 posts)  [Biography] bio
Date Fri 19 Jan 2007 03:16 PM (UTC)  quote  ]
Message
Goku may have added the sha_256 stuff to the DBSC code. Either way, someone did, cause all I did was upload the copy I had sitting around over to MudBytes.

Anyway, if you can go into act_info.c, look for the do_password function, and post what you have there. Then find the affected pfile, and post the password line so we can see it. However, if the password is *NOT* encrypted, please don't post it.

This will tell us what needs to be done to fix it. You may have a conflict between encryption types for some reason. The SHA256 password encryption code works regardless of the platform you're on.
SmaugMuds.org: http://www.smaugmuds.org - The Smaug MUDs Community Center

"The past was erased, the erasure was forgotten, the lie became truth." -- George Orwell, 1984
[Go to top] top
Posted by David Haley   USA  (3,881 posts)  [Biography] bio   Moderator
Date Fri 19 Jan 2007 07:53 AM (UTC)  quote  ]
Message
Well, hey, putting restrictions on your coders is kind of like hiding your address from the guy who knows where your house is and has your keys. Or like restricting commands to level 65 when the guy with shell access can set their trust to 65 through the shell anyhow, or worse yet, prevent all of their commands from being logged in the first place. Somebody with shell access is basically supergod as far as the MUD is concerned.

What I'd be more concerned about is that many people use the same passwords all over the place, and so if you got a MUD password, you might also have e.g. an email account password.

One thing you could do is to store the passwords with an easy and reversible encryption (such as shifting all letters three places). It would prevent accidental viewing of passwords (sometimes I need to open up pfiles to fix them manually) and let you retrieve passwords in case you need to for some reason.

However, I'm still fairly concerned about your original problem: somehow the passwords are going 'wrong', you say, becoming something different. Well, that means they aren't being saved correctly, and that could mean that even using plain-text passwords, they will occasionally get changed around.

Maybe Samson knows something about this (it might be something SMAUGfuss has dealt with) since he posted that code snippet.
David Haley aka Ksilyan
Head Programmer,
Legends of the Darkstone

http://david.the-haleys.org
[Go to top] top
Posted by Aqueus   USA  (47 posts)  [Biography] bio
Date Fri 19 Jan 2007 07:23 AM (UTC)  quote  ]
Message
Ouch, ok, I'll see about turning off encrypting, but it'd be nice to encrypt it some way so that my coders couldn't see every players (including my) password. Not to say that I dont' trust them, but if a player pushes their buttons they might be inclined to make that player do stupid things.

On the other hand, we'd see their IP, so we'd know it was them. Ok, whatever - away I go!

Thank you all.

Also: Samson is right. That's the message I get when I try to change my passwords.
[Go to top] top
Posted by David Haley   USA  (3,881 posts)  [Biography] bio   Moderator
Date Fri 19 Jan 2007 07:14 AM (UTC)  quote  ]
Message
It's quite easy to turn off the encryption of passwords. You just have to find the places where it encrypts passwords using crypt, and get rid of the crypt calls. In fact, there might even be a flag in the makefile, NOCRYPT or something like that, that will #define crypt(foo) to be simply foo.

However you cannot decrypt the passwords since they aren't technically speaking actually encrypted; they're hashed. The way it works is that you check the password by hashing it (which gives you essentially a numeric value) and comparing that against the stored hash. So it's a one-way encryption, if you will, that only serves to verify that whatever was entered hashes to what we expect it to hash to.

A good hashing is one that will minimize collision, i.e. two different strings yielding the same value. An interesting feature of crypt is that it only considers the first 8 letters of a string, so that the passwords thisisapassword and thisisapasswordtoohaha are equivalent as far as crypt is concerned. (That's why some people have moved to more modern functions, such as Samson's example with the sha256 algorithm.)
David Haley aka Ksilyan
Head Programmer,
Legends of the Darkstone

http://david.the-haleys.org
[Go to top] top
Posted by Zeno   USA  (2,867 posts)  [Biography] bio   Moderator
Date Fri 19 Jan 2007 06:05 AM (UTC)  quote  ]
Message
It's different in DBSC, you get the "Wrong password, wait 10 seconds" message I think.
Zeno McDohl,
Owner of Bleached InuYasha Galaxy
http://www.biyg.org
[Go to top] top
Posted by Samson   USA  (683 posts)  [Biography] bio
Date Fri 19 Jan 2007 05:56 AM (UTC)  quote  ]
Message
/* This should stop all the mistyped password problems --Shaddai */
if( str_cmp( sha256_crypt( arg1 ), ch->pcdata->pwd ) )
{
send_to_char("Old password is incorrect, try again.\n\r", ch );
return ;
}

Is that the message you see?
SmaugMuds.org: http://www.smaugmuds.org - The Smaug MUDs Community Center

"The past was erased, the erasure was forgotten, the lie became truth." -- George Orwell, 1984
[Go to top] top
Posted by Zeno   USA  (2,867 posts)  [Biography] bio   Moderator
Date Fri 19 Jan 2007 05:49 AM (UTC)  quote  ]
Message
I didn't think of this before, but compare the code for the ifcheck in the password login and the ifcheck with the delete code.
Zeno McDohl,
Owner of Bleached InuYasha Galaxy
http://www.biyg.org
[Go to top] top
Posted by Aqueus   USA  (47 posts)  [Biography] bio
Date Fri 19 Jan 2007 05:45 AM (UTC)  quote  ]
Message
We just got DBSC running a few days ago, we've been poking around in the code, changing the message that prints out here, the color of something there, so I don't think we're responsible, but we randomly have a crash where all the passwords become 'wrong'. Every person's password becomes something different.

Has this ever happened to anyone else?

When looking at the player files, I get that the password is encrypted, is there any method of decrypting it? Or, god-forbid turning off encrypting of passwords, since I think that's the problem...

Can anyone think of a workaround? Whenever a player is created they can save just fine, but if they try and change their password they get the 'wrong original password' message. So I can't just save a character and up his level (to godset someone's password...)

I'm desperate. REALLY desperate. So desperate that I've considered commenting out the code that tries to verify that your password is correct. Please, someone heeeelp. =(
[Go to top] top

The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).

To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.

2,750 views.

[Reply to this subject]  Reply to this subject   [New subject]  Start a new subject   [Refresh] Refresh page

Go to topic:           Search the forum

[Go to top] top

[Home]

Written by Nick Gammon - 5K

Comments to: Gammon Software support
[RH click to get RSS URL] Forum RSS feed ( http://www.gammon.com.au/rss/forum.xml )

[Best viewed with any browser - 2K]    [Internet Contents Rating Association (ICRA) - 2K]    [Web site powered by FutureQuest.Net]