SkotOS Game Authentication
Types of Authentication
Most SkotOS games are hosted on Debian servers run through Linode. This means that there are three levels of authentication: Linode auth; server auth; and SkotOS auth
Linode Auth
Major Functions: Manage Machine Backups (Snapshot, Restore), Manage Machines (Create, Destroy)
This is controlled through the Linode control panel. You can give people access at "Account > Users > Add A User". Unfortunately, even if they already have an account, you have to create a new "subaccount" for them.
You can choose what individual permissions they get, though the default is "Full": it will be initially set to "Full" when you create the user, and you must afterward decrease permissions if desired by choosing "User Permissions" for the user and adjusting accordingly.
Server Auth
Major Functions: Run Processes (Game, Web Server), Edit Files (Game Files, Images, Web Files), Adjust Cloned Repos (Client, UserDB), Manage Game Backups
This is a "root" user who has super-access to the machine. New users are usually added by inputting their IP address into /etc/hosts.allow
and running /etc/init.d/ssh restart
and giving them a root password.
Game Auth
Major Functions: Edit the Game (Tree of WOE), Access the Game (Admin access)
These are users marked as admins in the game. This is managed through the UserDB. Go to the user pages for you game, and choose the support page (e.g. https://login.URL/support.php). Select the user and on their support page, choose "Admin Access" under "Access:". Be sure to click "Change Info"
Wiztool Auth
Major Functions: Recompile source code for game, Grant Story Points
This is the highest level of access possible, and is very dangerous: user with this level of access can accidentally wreck the game. The access occurs through port X098 on the machine (e.g., 98 + the base port for the game). Its setup is fully described in "Setting Up a SkotOS Host", since it generally requires shell-level access, and its usage is described in "SkotOS Wiztool".
Inside SkotOS Auth
SkotOS auth usually follows this procedure: the user logs in on the login page and a cookie is set. That cookie is then verified when they enter the game by a variety of UserDB functions.
Login Page Login
When a user logins in at https://login.URL, the following happens:
- They type their username and passwd.
- Their username and passwd are passed to the local UserDB Auth socket with the
passlogin
command. - The username is verified.
- The password is verified against a saved hash with
password_verify
. - A random keycode is generated.
- The keycode is placed in the
keycodes
database with a timestamp. - A
user
cookie is set with the username. - A
pass
cookie is set with the keycode.
Web Page Verification
Whenever a user hits a web page requiring authentication, their user
and pass
cookies are checked. If they match the information in the database and the timestamp is not expired (which is all verified with a keycodeauth
command to the auth server), then the user is allowed access to the page.
Auth Server Commands
Three different commands could be sent to the auth server to verify a user:
keycodeauth
Command
Game or Web Page
keycodeauth
sends a username and a keycode to the server-auth, which checks it with is_keycode_ok
and returns successfully if it match the info in the database and the keycode is not expired.
md5login
Command
Game
md5login
sends a username and a hash of the username, the keycode, and a slightly secret word to the server-auth, which checks it with is_hash_ok
and returns successfully if that matches a hash constructed in the same way by the server with its own knowledge of the keycode. It should probably fail if the keycode is expired, but currently may not do so. This is perhaps slightly more secure than keycodeauth
, but not much, because its security comes through the obscurity of the hash.
This appears to be run when a user does his initial login into a game.
A variant of this command called
md5auth
was used by Genesis games, and expects different returns.
passlogin
Command
Web Page
This is fully described above: a username and password are sent, and the hash of the password is tested against what's in the users
database with password_verify
.
Note that passwords are hashed with password_hash
and checked with password_verify
. These are robust PHP functions that are intended to upgrade to new forms of encryption over time: the type of encryption used is stored as part of the hash, allowing full backward compatibility.
There is a variant of this called
passwordauth
. Either it orpasslogin
was used by the Genesis games to allow logins to the game with arbitrary MUD clients.