MOO-cows Mailing List Archive

[Prev][Next][Index][Thread]

silent passwords




 ----------
From:  Mike Carns[SMTP:mcarns@crl.com]
Sent:  Saturday, July 20, 1996 4:41 PM
To:  David Channon
Cc:  moo-cows.PARC
Subject:  Re: silent passwords


On Tue, 16 Jul 1996, David Channon wrote:

>
>         We are setting up a small moo for a study in colaborative
>         electronic workplace. It has been requested that we have a   
password
>         (connection etc) that will not echo/display the password when
>         the user logs in or changes the password. I connot see how this
>         can be done without client knowledge (a colleage claims it can
>         be done but does not have any details) - Am I missing   
something?
>

Yes, it CAN be done.
I figured out the basic method with the help of the people at du moo
(moo.du.org).  The system was first developed by Alex Stewart.  I will
only give your the basic layout.  The programming is up to you (that's
what they made ME do).  Anyway... on with the show:

Problem:  Every line that a user types in before login is treated as a
command.  Therefore, we can't just do a read.  Here's where we defeat   
that:

1) Change connect to accept 1-2 args.  If 2, log the person in normally.   
   

If 1 do the following:
turn echoing off with set_connection_option
add an element to a prop on $login called... let's say... con_waiting.   
 The
list conatains the con_waiting is a list of lists (or a 2d array for).
The format is this: {{player#, args[1] (the req name)}, {#, name}...}
quit

2) change the $login:parse_command to check the following:
if the command doesn't match (it won't since it's the password) do this:
if the player # is in the list on $login.con_waiting then:
get the name
take the element off con_waiting
set echoing back on
and return: "connect <namefromconwaiting> <commandtobeparsed>"
if player# isn't in con_waiting return $bogus_command

that'll do it... any further questions can be asked of me directly at:
mcarns@crl.com

Later,
Belgarath (archwiz mvmoo)

  Be careful... not echoing the password can make the player
thinking that's the login process are safer then it really was.
Maybe other people around the player didn't see it but, as all
FTP or Telnet connection, the password can be take in 'clear'
by who ever listening at the same port. Sniffer ( program that
listen on some ports - especially telnet one - to find password,
private mail, etc ) are more current then people think and to
not echoing just give them a false security mood.

The only way to work around it's with a collaborating client...
This client have to encrypt the password of the user with a
random key receive from the server. Then, it sends it to the
server who compares it with the in-db password encrypt with the
same key. With that, you can have a safer login, not enough to
a top-secret military MOO but more than most of the telnet
connection you making all the days :).

Oh yes, I heard about some telnet client who have this kind of
protocol implemented but don't have time to make some research
about it. If you can't find it, e-mail me... I think I can have
some answer within a week..

Ciao!
 ---------------------------------------------------------------
The contradiction is not that free software are among the best,
   it's that commercial software aren't the best of them.
===============================================================
Fabien Ninoles aka the Baggus Mage aka Baffouille
nightbird@cyberus.ca             +-----------------------------
finger me for my PGP Public Key  | Not knowing where you go
                                 | always lead you to
[space must be fill to register] | a Baggus End...
 ---------------------------------------------------------------
Can be reach too on Ninoles.Fabien@ic.gc.ca until 23/08/96
 ---------------------------------------------------------------








Home | Subject Index | Thread Index