PHP Account Creation

Discussions About MOSS (Myst Online Server Software)

Moderators: a'moaca', rarified

MercAngel
Member
Posts: 31
Joined: Tue Apr 19, 2011 8:55 pm

Re: PHP Account Creation

Post by MercAngel »

ok i am way lost now i can creat and account and it works fine another user just created an account and got in ok
MercAngel
Member
Posts: 31
Joined: Tue Apr 19, 2011 8:55 pm

Re: PHP Account Creation

Post by MercAngel »

are there any rules on chars used in the password i saw nothing about that
a'moaca'
Member
Posts: 163
Joined: Sat Dec 13, 2008 11:22 pm

Re: PHP Account Creation

Post by a'moaca' »

Okay, I just posted something, but it was missing something. I will try again in a few minutes.
User avatar
JWPlatt
Member
Posts: 1137
Joined: Sun Dec 07, 2008 7:32 pm
Location: Everywhere, all at once

Re: PHP Account Creation

Post by JWPlatt »

I use very strong passwords for things. Is there a limitation? MercAngel gave us a test account with a very simple password and I can use that fine.
Perfect speed is being there.
User avatar
branan
Member
Posts: 84
Joined: Wed Apr 06, 2011 11:35 pm

Re: PHP Account Creation

Post by branan »

a'moaca' wrote:Okay, I just posted something, but it was missing something. I will try again in a few minutes.
DirtSand probably assumes the SHA-1 in the database contains the username when required. Not the the current account adding code handles that correctly - it just stashes the password SHA-1. It's unlikely email usernames have ever actually been tested in DS, to be entirely honest. I'll fix the account add function anyway, though.

I'll be editing my original post to contain the correct info about email hashes, just for the sake of having it be correct.

EDIT: oh, wait, now I remember why it does the SHA-0 second. That SHA-0 includes the client and server challenges, so it must be done at runtime.
Last edited by branan on Tue May 03, 2011 11:09 pm, edited 1 time in total.
a'moaca'
Member
Posts: 163
Joined: Sat Dec 13, 2008 11:22 pm

Re: PHP Account Creation

Post by a'moaca' »

branan wrote:I just saw that the script is using the MOSS tool for this, so I'm going to assume that was written correctly. I'll post this anyway for the sake of it being relevent information to account management.
Well, it is relevant information, except for the part about it being wrong. :(

It is interesting to know there are other special accounts like @gametap -- we did not think to test that one. Direct from MOSS's documentation, I have:

Code: Select all

- Usernames of the format "x@x.x" where x is one or more characters, called
  here "email-address usernames", use an algorithm with SHA on the password
  concatenated with the username. The strings are widestrings, and the last
  character of both the password and username is replaced with nul. The
  "compute_auth_hash" program will generate the correct hash for you.
- Usernames not of the format "x@x.x" instead simply use a SHA-1 hash of the
  password. (Not as a wide string.)
This isn't the whole story: this description is only about the secret shared by the server and the user. The other part of the story is what happens at login. With the "special" account the client sends this 4-byte-wise little-endian version of the SHA-1 hash. (This is not the same as little-endian, which would swap all 20 bytes.) But for the "normal" password, the server sends a nonce. The client SHA hashes the server nonce with a nonce of its own along with the shared secret and sends *that* hash, big-endian (in other words, in the normal order defined for the hashes).

There's no "weird Cyan-hash". The "normal" login is a CHAP-style authentication which prevents replay attacks on the password hash.

Given that the "normal" authentication is SHA and not SHA-1 I cannot see how anyone could possibly start from a SHA-1 password hash and get to the plaintext necessary to get a SHA hash later. If that were possible, it is not much of a password hash. DirtSand would have to store the password unhashed. And so I think that is what it does, if it does what you describe.

But I think it is more likely that it is storing the shared secret part, just the same as MOSS. Since your username does not typically change all the time, MOSS just assumes you put the correct type of hash in the DB.


Regarding restrictions on characters: I don't know for sure. That is a good question to ask those who know the client code. I would warn against using non-ASCII characters in your password, though. If the client lets you use them, it might toss them, shave off bits, or do the right thing. In any of those cases, you won't be able to log in. In the latter case, it's because compute_auth_hash does not do proper full-on conversion from xyz to UTF-16. It assumes your input is ASCII.

- a'moaca'
Last edited by a'moaca' on Tue May 03, 2011 11:10 pm, edited 1 time in total.
Reason: fix broken formatting
a'moaca'
Member
Posts: 163
Joined: Sat Dec 13, 2008 11:22 pm

Re: PHP Account Creation

Post by a'moaca' »

branan wrote:EDIT: oh, wait, now I remember why it does the SHA-0 second. That SHA-0 includes the client and server challenges, so it must be done at runtime.
That's what my post was missing. :)

- a'moaca'
User avatar
JWPlatt
Member
Posts: 1137
Joined: Sun Dec 07, 2008 7:32 pm
Location: Everywhere, all at once

Re: PHP Account Creation

Post by JWPlatt »

My passwords were all printable ASCII. They're just not limited to alphanumerics or consistent case.
Perfect speed is being there.
User avatar
branan
Member
Posts: 84
Joined: Wed Apr 06, 2011 11:35 pm

Re: PHP Account Creation

Post by branan »

a'moaca' wrote: There's no "weird Cyan-hash". The "normal" login is a CHAP-style authentication which prevents replay attacks on the password hash.
It's weird in the sense that it's unneeded. If the net protocol was unencrypted, it would be fine, and CHAP would be the right thing to do. But at this point in the connection DH has been completed, so it's unnecessary and redundant. It might be a normal thing in some systems, but it's "weird" in the overall architecture of MOUL's network code. Beyond that, It's SHA-0 which no one should be using for anything ever.

As for other things: I've verified in Cyan's client code that the initial hash is always SHA-1, regardless of normal or special. The username is part of the hash for email usernames, and not part of it for other special usernames as you said. (that's another one of those special/weird cyan netcode moments).

So in short: Server should always have an SHA-1 hash. For normal/email usernames, this is a hash of username+password, for other usernames, it's just the password. For normal/email usernames, a SHA-0 CHAP is also done.
User avatar
JWPlatt
Member
Posts: 1137
Joined: Sun Dec 07, 2008 7:32 pm
Location: Everywhere, all at once

Re: PHP Account Creation

Post by JWPlatt »

Can we distill password character rules from all this please?
Perfect speed is being there.
Post Reply

Return to “MOSS”