Network Authentication Handler

Post Reply
User avatar
Johnny Joy
Member
Posts: 56
Joined: Fri Sep 05, 2014 20:26
GitHub: johnnyjoy
In-game: jjb

Network Authentication Handler

by Johnny Joy » Post

I had hoped to create a simple and secure system for centralizing account information, that would be accessible form multiple MT servers that would also prevent the same user from being logged into multiple servers at the same time.

I had planned on setting up a web based service that a authentication handler mod would connect to and register players and authenticate them. I also planned on having the players use the same username/password on a web site as well, where they could perform other actions, such as creating their account, changing their password, and password recovery. Basically the simple idea of having a common account across many MT servers and a web server as well.

I had hoped to setup a series of 10 different MT servers with related worlds that would have different flavors requiring players to complete tasks on various servers to gain rare items that otherwise could not. I had planned on having their personal inventories synchronized across the servers. This would allow them to collect items from different word and craft items from them.

I have been working with the most recent code to insure that mode code will work with the upcoming major version. However I have found that from lua there is no access to the unencrypted form the password or an encrypted form of the password that would easily be compatible with something like wordpress, drupal, or other services. While much of the world has moved to using some kind of single sign on, it escapes me how SRP will allow this.

I'm hoping that this can be done seamlessly to the user, and that someone reading this might have the answer, or a better idea to solve the problem of requiring multiple username/password pairs.

My original plan was to house the user and hash in database SQL or LDAP and use SAML for the web side and a custom service for the authentication mod. The only alternative I can think of would require the user to have 2 different passwords, since MT password hashes can be shared between servers, but can't be shared with most other services.

Thanks for any help. Take care.

User avatar
Festus1965
Member
Posts: 4181
Joined: Sun Jan 03, 2016 11:58
GitHub: Festus1965
In-game: Festus1965 Thomas Thailand Explorer
Location: Thailand ChiangMai
Contact:

Re: Network Authentication Handler

by Festus1965 » Post

nice, we had this discussion like in german ...
see Idee: Webdienst für Benutzerverwaltung

there are more users they use already the same name like "Thomas" or "thomas" how will get it then ?

what is wrong, if I am connected to sometime 2 servers/worlds at the same time ?
(Most I stay on my world, as responsible admin/moderator - but also want to visit up to 3 different worlds ... short to great, check out)

would the register be fixed also to the gamers IP coming from ?
Human has no future (climate change)
If urgend, you find me in Roblox (as CNXThomas)

User avatar
Johnny Joy
Member
Posts: 56
Joined: Fri Sep 05, 2014 20:26
GitHub: johnnyjoy
In-game: jjb

Re: Network Authentication Handler

by Johnny Joy » Post

Thanks for the reply. I'll try to answer your questions. I'm sorry I was not more clear before.

What is wrong with being logged into 2 of connected worlds at the same time?

If personal inventories, such as inventory, armor, and bags are shared between the servers, having both server try to write to them at the same time would have items to be overwritten and basically make inventories useless. Visiting the connected worlds one at a time would work perfectly. This is meant to simulate the same character moving from distinct world to distinct world.

What happens if different players register with the same name on different servers?

This would not be possible, since there would effectively be a single auth database between them, the same way you can't have duplicate usernames for Gmail and Google. They use the same auth database where only one person can use the login of "Thomas". I was also planning on having all accounts created via a sign up web site.

The more control over the MT game engine that is accessible via lua the more possibilities there are for MT. As great as SRP is, it seems to stand right in the way of implementing a single sign on strategy and a world of other possibilities. It also might just be overkill for a game like MT as well. But, here we are.

The solutions I see at this point is to have players create an account on any one of the connected MT servers, which would create an account on all of them, and then have them log in a second time once they're in the game via a mod which would check their name/password vs an account used by the web site. MT player accounts not linked to a web site account would be deleted after logout. This would insure that each user had an account on the web site as well and that it was linked to their MT account for the connected worlds. It's damned ugly and I would like to avoid that, but there appears to be little alternative.

The alternative is just to create a custom version of the client and server which would have a more modular authentication system which would allow MT servers to leverage various auth services that exist, such as AD, SAML, oauth, ldap, etc, via lua scripting. However that would take loads of time and after doing the work and testing it's most likely the pull request would be rejected since core devs do not often agree about that level of change suddenly.

I'm just hoping that somebody might have more insight and might know of a simple way to implement single sign on that leverages an existing database of users. It's just utterly ridiculous to ask players to create 2 different accounts, one for the game, and a second for the web site.

Thanks.
Festus1965 wrote:nice, we had this discussion like in german ...
see Idee: Webdienst für Benutzerverwaltung

there are more users they use already the same name like "Thomas" or "thomas" how will get it then ?

what is wrong, if I am connected to sometime 2 servers/worlds at the same time ?
(Most I stay on my world, as responsible admin/moderator - but also want to visit up to 3 different worlds ... short to great, check out)

would the register be fixed also to the gamers IP coming from ?

User avatar
Festus1965
Member
Posts: 4181
Joined: Sun Jan 03, 2016 11:58
GitHub: Festus1965
In-game: Festus1965 Thomas Thailand Explorer
Location: Thailand ChiangMai
Contact:

Re: Network Authentication Handler

by Festus1965 » Post

Johnny Joy wrote:...
If personal inventories, such as inventory, armor, and bags are shared between the servers, having both server try to write to them at the same time would have items to be overwritten and basically make inventories useless. Visiting the connected worlds one at a time would work perfectly. This is meant to simulate the same character moving from distinct world to distinct world.
Oh, is use different Boxed Clients, sometime 8 on my computer, i would be able to bin in about 16 servers in the same time with the same name. That Inventory is no problem as, different boxed Clients.
So as I do that would not be a problem - hmmm


The name thing is a problem, if that would come up like ..., we will see.
Human has no future (climate change)
If urgend, you find me in Roblox (as CNXThomas)

User avatar
Johnny Joy
Member
Posts: 56
Joined: Fri Sep 05, 2014 20:26
GitHub: johnnyjoy
In-game: jjb

Re: Network Authentication Handler

by Johnny Joy » Post

Well the inventory and player information is not a challenge, since I have more easily access thar in 0.5.0 through lua with minimal coding. It's the inflexibility of MT's auth system that uses SRP. Maybe I'm missing something, but it's does not appear to be able to interface with any other authentication system. Here is one example.

Where I live the schools don't have much money, but they have some old computers and they allow the students to use MT on the school network. The schools in the area are all networked together and have an LDAP directory running on Linux, much like Active Directory. The LDAP directory contains account information such as their login and password. It would be beyond amazing if schools could simply connect to their directory server and run one or more MT servers that automatically had accounts for all the students.

Is something like that possible now?
Festus1965 wrote:
Johnny Joy wrote:...
If personal inventories, such as inventory, armor, and bags are shared between the servers, having both server try to write to them at the same time would have items to be overwritten and basically make inventories useless. Visiting the connected worlds one at a time would work perfectly. This is meant to simulate the same character moving from distinct world to distinct world.
Oh, is use different Boxed Clients, sometime 8 on my computer, i would be able to bin in about 16 servers in the same time with the same name. That Inventory is no problem as, different boxed Clients.
So as I do that would not be a problem - hmmm


The name thing is a problem, if that would come up like ..., we will see.

User avatar
texmex
Member
Posts: 1753
Joined: Mon Jul 11, 2016 21:08
GitHub: tacotexmex
In-game: tacotexmex

Re: Network Authentication Handler

by texmex » Post

I'm also interested in an LDAP solution!

User avatar
Johnny Joy
Member
Posts: 56
Joined: Fri Sep 05, 2014 20:26
GitHub: johnnyjoy
In-game: jjb

Re: Network Authentication Handler

by Johnny Joy » Post

I think this might be possible, but not right away. It's going to take time. Time I'm not sure I have.
texmex wrote:I'm also interested in an LDAP solution!

User avatar
Johnny Joy
Member
Posts: 56
Joined: Fri Sep 05, 2014 20:26
GitHub: johnnyjoy
In-game: jjb

Re: Network Authentication Handler

by Johnny Joy » Post

I was going into this blind, but after a few days I'm a good deal more educated. The big problems it performance with
all the many packets that must be exchanged between the game client and server across the net, and it's related to security. Unlike web pages that use SSL games cannot. Web pages transmit a large amount of data all at once, and encrypting that it not that expensive. Games however exchange a ton of packets updating conditions within the game all the time. SSL or DTLS(UDP SSL) would be far too costly. This is where the security comes in. Without SSL anyone who would listen in to your network connecting, from the client all the way to the server, would be able to "see" the encrypted passed, and attempt to discover the password from that. Without SSL the best method of keeping the password secret is to use Secure Remote Password Protocol(SRP). SRP is amazing. I will spare you the details here, but it avoids transmitting the actual password hash. This means the hash cannot be compared to other databases, like a LDAP database, etc. It it's possible to use an existing set of users in Active Directory or from a Wordpress or Drupal site. In fact from what I can tell the SRP hash in the auth.txt is not even compatible with other implementations SRP without some changes.

What it looks like it that Minetest suffers from a simple incompatibility that is completely justified by it's amazing attention to security.

What I see as a possible solution would be to have the Minetest server be able to present the game client with an optional form of security other than SRP configured on the server.

Imagine that after the client connected, that the server explained the client would need to auth using ldaps against a specific server, and waited until this was done with a timeout of course. The server could look at the ldap server for the last login time or for a specific token. I really haven't gone too far into that part. I'd like to do more research first. But, it's possible.

What I find more likely is the use of a web server, since Minetest often has curl. There could be a service using a web server that could authenticate people much in the way that Minecraft does. That services could easily connect to a number of different possible backends to verify password. I find this option to be the most likely one, and it's the one I'm working on right now. Once complete it would even be possible to use this forums user database on an MT sever or servers, if I'm successful.

Sorry there is no simple mod remedy for this problem.

User avatar
BrandonReese
Member
Posts: 839
Joined: Wed Sep 12, 2012 00:44
GitHub: bremaweb
IRC: BrandonReese
In-game: BrandonReese
Location: USA

Re: Network Authentication Handler

by BrandonReese » Post

I'm doing a web-based registration and authentication on voxeladventures.com. The basic gist is minetest downloads a new auth.txt file every 5 minutes. It doesn't use SRP it uses the old authentication method (SRP confuses the heck out of me). Of course I've been out of the loop for a year or longer so I don't know what all has changed in the latest versions.

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests