MOSSi - MOSSinstaller

Discussions About MOSS (Myst Online Server Software)

Moderators: a'moaca', rarified

User avatar
Lyrositor
Member
Posts: 156
Joined: Sun Feb 05, 2012 10:58 pm
Contact:

Re: MOSSi - MOSSinstaller

Post by Lyrositor »

I've been considering integrating directly into the PHP script, but I'm not sure of all the operations being performed on the password, so I can't accurately hash it with PHP's sha function (if there is such a thing; I know there is sha1). From what I can tell by looking at the source code:
1. "size" is calculated by multiplying by 2 the sum of both the e-mail and password strings.
2. "input" is assigned a block of memory the size of, well, "size".
3. cp is assigned the value of input.
3. "cp" recieves, character by character, the password (except for the newline (?) at the end), with a null character between each letter.
4. Where the newline was, two null characters are placed instead.
5. "cp" is then assigned the lower-case e-mail with null characters in between each letter and two more at the end.
6. SHA generated with input (?).
And I think that's it. I don't get it: what's the purpose of cp if input is used at the end? There is no reassignment of cp's value to input, if I'm correct. I'm aware they are pointers, so maybe I'm confused on that part, but if both point to the same address, why even have two values at all?

P.S. : Still learning C++. Started OOP; woop! :)
Lyrositor
Explorer #16601888
To D'ni, or not to D'ni. There is no question.
Image
User avatar
Hoikas
Member
Posts: 344
Joined: Fri Jun 03, 2011 8:38 pm

Re: MOSSi - MOSSinstaller

Post by Hoikas »

That makes sense. However, there were a good many of us writing our own servers who noted that providing regular usernames would result in a simple SHA-1 hash being sent. It makes things a lot easier, and avoids the interesting effects of the email-based hashes :).

Anyway, my poorly described point is that it's a lot easier to sha1 then pq_query in PHP as opposed to running an arbitrary system command. ;)
Image
User avatar
Lyrositor
Member
Posts: 156
Joined: Sun Feb 05, 2012 10:58 pm
Contact:

Re: MOSSi - MOSSinstaller

Post by Lyrositor »

Does anybody know where the code is in CWE where it encrypts passwords? Maybe it could be changed to a simple SHA1 (or SHA2 or whatever) encryption, and this would greatly simplify creation of passwords on the server side while relying on an encryption built for governments and security.
Lyrositor
Explorer #16601888
To D'ni, or not to D'ni. There is no question.
Image
User avatar
Hoikas
Member
Posts: 344
Joined: Fri Jun 03, 2011 8:38 pm

Re: MOSSi - MOSSinstaller

Post by Hoikas »

You don't need to change anything in CWE. It already uses SHA1 for usernames that are not email addresses.
Image
User avatar
Lyrositor
Member
Posts: 156
Joined: Sun Feb 05, 2012 10:58 pm
Contact:

Re: MOSSi - MOSSinstaller

Post by Lyrositor »

I haven't been able to figure out how to make MOSS accept a username instead of an e-mail address yet, so I don't know how it works on the server side though.
Lyrositor
Explorer #16601888
To D'ni, or not to D'ni. There is no question.
Image
a'moaca'
Member
Posts: 163
Joined: Sat Dec 13, 2008 11:22 pm

Re: MOSSi - MOSSinstaller

Post by a'moaca' »

To compile compute_auth_hash, type "make compute_auth_hash".

It is documented, several times over, that MOSS works fine with the non-email-address usernames. It always has. I use them myself. All you have to do is put the SHA-1 hash of the password in the DB instead of the compute_auth_hash thing. This is documented in the files in the source tree itself and there is a pointer on the wiki.

I wrote a lot of documentation. It would be nice if people read it, but ignorance is the best way to generate fud, I guess.
User avatar
Lyrositor
Member
Posts: 156
Joined: Sun Feb 05, 2012 10:58 pm
Contact:

Re: MOSSi - MOSSinstaller

Post by Lyrositor »

I have compiled compute_auth_hash that way. What I was asking is if it can be set to install along with MOSS, but I suppose I can just do a manual cp to carry over the compiled code.

I have already read the sections explaining that MOSS works with non-email address usernames, but so far I've had no luck. I'll try again, since I might have used the wrong encryption, or my MOSS server was incorrectly configured.

I read all your documentation, from MOSS/Notes to MOSS/Setup to the doc/setup file to the doc/user-management with everything in between. I think I've understood it all, so I'm asking these many questions because I have spent a lot of time trying to figure out everything on my own (if you look at my Installing MOSS thread, I've already managed to figure out a few things on my own).
Lyrositor
Explorer #16601888
To D'ni, or not to D'ni. There is no question.
Image
User avatar
Lyrositor
Member
Posts: 156
Joined: Sun Feb 05, 2012 10:58 pm
Contact:

Re: MOSSi - MOSSinstaller

Post by Lyrositor »

Mac_Fife wrote:I don't use pg_escape_string either, but I do a lot of checking/cleansing on both the password and email supplied long before I get to the point of putting them through copute_auth_hash (for instance, I check that the email address conforms to the RFCs and I check that there's a valid MX record for the domain - no point sending emails out if they're just going to bounce back).
I think I've found a pretty good checker here, and so far so good, so I'm going to use it for Lyros Shard: http://www.linuxjournal.com/article/9585?page=0,3
Lyrositor
Explorer #16601888
To D'ni, or not to D'ni. There is no question.
Image
jamie marchant
Member
Posts: 30
Joined: Wed May 04, 2011 5:13 pm
Contact:

Re: MOSSi - MOSSinstaller

Post by jamie marchant »

Are you still maintaining this? I tried it too setup MOSS after completing some of the steps manually but Files.zip can not be found on your server. Thanks :)
User avatar
Lyrositor
Member
Posts: 156
Joined: Sun Feb 05, 2012 10:58 pm
Contact:

Re: MOSSi - MOSSinstaller

Post by Lyrositor »

No, I'm not maintaining it anymore; and I think the Files.zip would not work now anyway, since the files have changed. You have to generate the manifests yourself.
Lyrositor
Explorer #16601888
To D'ni, or not to D'ni. There is no question.
Image
Post Reply

Return to “MOSS”