Page 1 of 1

Wiki about BZAuthd

Posted: Sat Jan 05, 2019 8:49 pm
by trpted

* Issue one *
The callsign and password are sent in clear text form to the list server and this is a risk to the users' privacy since they may use those passwords elsewhere. The auth daemon would use a public key cryptography algorithm called RSA that would effectively solve this problem. The only way to register at the moment is at the forums. The daemon would allow users to register through a secure, RSA encrypted channel from inside the game.
That is great wonderful of the future what you are planning to do. :)

But there is an issue. Users should never use the same passwords everywhere they go.

Tell the users to stop doing that. The password for BZFLAG and it's forum should not be used anywhere else.

* Issue two *
Should or can the Karma server and LDAP server be one and the same?

PROVIDES: easier maintenance, both autonomously and manually
PROVIDES: easier ability for maintaining a consistent data state (no fuzzy syncing issues – it either is or isn't synced with replicants)
PROBLEMATIC: multiple areas of entry for possible abuse (unless replicants are hosted on 'trusted' systems, as far as that can be determined.)
PROBLEMATIC issue, not matter what you do (Karma server and LDAP server same server or not the same server, for example) : I have read/heard
If it is made by human hands, it can be broken by human hands.

Re: Wiki about BZAuthd

Posted: Sat Jan 05, 2019 10:25 pm
by blast
It's not clear what you're pointing out as issues. We're not going to be using a BZAuthd and will continue to use web-based tech. And since 2.4.4 we've been using HTTPS communication to the list server and forums.

Re: Wiki about BZAuthd

Posted: Sat Jan 05, 2019 11:06 pm
by tainn
Regarding the argument of specifically pointing out on the account creation page that people should not use the same passwords across multiple websites, I think that's quite redundant at this point.

This matter is vocal on so many websites already and speaks common sense that it might seem as unnecessary guided cluster rather than anything else.

I'm quite indifferent about it, but seeing what kind of community bzflag is and what kind of new users it receives, I think the people don't generally have to be shown what steps to take to ensure basic security.

Not to shoot down the idea, I think it is presented in good faith, but this community really is of the type where each individual is expected to take care of at least their own basics without additional guidance.

Re: Wiki about BZAuthd

Posted: Sun Jan 06, 2019 3:30 am
by Zehra
trpted wrote:
Sat Jan 05, 2019 8:49 pm

That is great wonderful of the future what you are planning to do. :)
Mentioned within the List Server questions thread, it was mentioned that BZAuthd had not been updated, and if I'm not mistaken, the code itself has not been touched since 2009. (Meaning that no updates were made to it after that point.)
Personally, I wouldn't recommend using the Wiki to search for the 'latest' development ideas as the Wiki is mostly outdated.
If you are interested in the latest development ideas, I would recommend asking within the forums or IRC.