Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Explore use of passwords, player keys, roles, and command verification #2

Open
oubiwann opened this issue Sep 15, 2018 · 0 comments
Open

Explore use of passwords, player keys, roles, and command verification #2

oubiwann opened this issue Sep 15, 2018 · 0 comments

Comments

@oubiwann
Copy link
Member

oubiwann commented Sep 15, 2018
edited
Loading

Notes:

  • Creation process:
    • User connects via SSL Telnet
    • User enters the registration shell and selects the create option
    • User provides email and new password
    • User is sent an email with a verification code
    • User confirms verification code in SSL Telnet session
    • Secret player key is displayed to user and they are instructed to save it
  • Re-generate process:
    • User connects via SSL Telnet
    • User enters the registration shell and selects the regen option
    • User provides email and new password
    • User is sent an email with a verification code
    • User confirms verification code in SSL Telnet session
    • Secret player key is displayed to user and they are instructed to save it
  • Logging in:
    • User provides password used when registering
    • User may optionally provide player key when connecting to a game with a particular player, but they may only do so if connected to the server via SSL Telnet
    • If Telnet was used instead, switching to shells with elevated permissions will not be possible
  • Shells with elevated permissions:
    • If player key was not provided when connecting to game:
      • admin aliases to admin shell will not work
      • player will have to explicitly switch to the admin subshell, providing the player key when doing so
    • If a player key was provided:
      • admin aliases to admin shell will work
      • optionally, a player may explicitly switch to the admin subshell without having to provide the player key
  • Verification:
    • All commands passed in elevated modes will be verified using the player key
    • The user will submit a command
    • The user's session will be examined for the player key and the command will be signed
    • The command will be sent to the command processor with the user's name
    • The command processor will perform a lookup of the player key and the granted roles for the given user name
    • The command processor will sign the passed command with the key found when looking up the user
    • The command processor will compare the signature it generated and the signature passed by the user and proceed only if they match
  • Should only be transmitted over an encrypted connection
@oubiwann oubiwann changed the title Support the generation of API keys Explore use of passwords, player keys, roles, and command verification Sep 15, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@oubiwann