45 réponses à ce sujet

[Vincent07]

Some time ago, FunkySwerve posted a topic  about securing a PW now that the Master Server is gone.  This was a lovely bit of code, and we've made use of it on CD.  However, it would seem there is some measure of CD Key recycling going on from GoG and we have had a few players unable to log in because of this. So I would like to find an SQL password security system that is not reliant on GSID.

 

I'd heard SoT used one, and so looked through what they posted.  It seems tied into their massive NWNX implementations which we don't have.   Similarly it is tailored into that module and not something I can easily remove for my own use.

 

Anyone know of a solution for this out there? 

[Squatting Monk]

I know this is not what you asked for, but Funky posted a modification to the system to account for GoG CD Keys.

[Vincent07]

The GoG keys haven't been the issue.  We've been seen key duplication of the multiplayer keys players have received. 

[Squatting Monk]

Ah, I see. That's certainly something that needs to be accounted for, then. In the meantime, have you contacted GoG about this?

[Vincent07]

I have not, no. I've never dealt with them. (My copy of NWN is original release, as is each xpac)

 

Mostly I'm interested in finding some different manner of server security, preferably a password system.  So far my searches have yielded nothing.

[Pstemarie]

I don't think its so much GOG recycling CD Keys as the clown that posted a torrent some time back that had over 100 legitimate CD Keys that people had erroneously stored in online file repositories attached to personal websites thinking that was a safe way to store something.

 

One thing I've wondered, now that the master server authentication is gone, wouldn't it be possible to install the GOG version with the generic keys and then replace those keys with your own made-up multiplayer keys?

[Shadooow]

Alternatives to CDKEY verification exists - for example you can make a ingame password system where each logging player will have to input a password in a starting area before you teleport player into last stored area.

 

But there is one problem remaining - players with same cd key cannot play on the same server at the same time...

[WhiteTiger]

And can we skip the step of checking CD-KEY? players can't login on module because have your CDKEYS duplicated and would be great to make the players enter in game without individual serial code.

[FunkySwerve]

I don't think its so much GOG recycling CD Keys as the clown that posted a torrent some time back that had over 100 legitimate CD Keys that people had erroneously stored in online file repositories attached to personal websites thinking that was a safe way to store something.

 

One thing I've wondered, now that the master server authentication is gone, wouldn't it be possible to install the GOG version with the generic keys and then replace those keys with your own made-up multiplayer keys?

This. I have yet to see a duplicate key from GoG. I have seen dozens of them from torrented sites. About 10 times a year I get some clueless torrenter posting on our forums asking why there's a password on their account when they've never played on the server. This is, of course, why we have passwording in addition to the cd key check. I tell them first come, first served, and explain that a GoG key is only 5-10 bucks depending on whether they have a sale going. Otherwise all the torrented keys would be sharing vaults, wallets, and so forth. In fact, we also get a few gripes a year by people wondering why their items are disappearing, or one of their toons was deleted. It's because they haven't yet passworded their account, and another torrenter was logged in as them, using their items and playing their characters.

 

Torrented keys are pretty easy to spot. When you do a SQL search for most keys, e.g., key XXXXXXXX:

SELECT * FROM pwdata WHERE val LIKE '%XXXXXXXX%';

you get one hit. On a torrented key, you'll get dozens, if you have a busy server. I think my record is something like 250 hits. More typical is 60-70 hits.

 

About the only potential point of confusion occurs if you have guilds, where some players share keys. There, though, there's still a marked difference in quantity, with maybe 12-20 hits on a guild-shared key.

 

We do warn our players who share keys that it makes it difficult to distinguish them as different from those they share keys with, and that they may wind up responsible for that person's actions when using their key, but it hasn't been a major issue thus far.

 

Long story short...passwording. I think I've posted a passwording system, courtesy of acaos, somewhere on here. LMK if you can't find it and I'll repost.

 

Funky

[FunkySwerve]

And can we skip the step of checking CD-KEY? players can't login on module because have your CDKEYS duplicated and would be great to make the players enter in game without individual serial code.

No. You want both. That way, if you ban someone, they lose everything they accumulated on their old account, and have to start over. It's possible to do that with just a password, but it's far less convenient.

 

Funky

[FunkySwerve]

But there is one problem remaining - players with same cd key cannot play on the same server at the same time...

This is NOT a problem. It's key to preventing serious ex^plo@its.

 

Funky

[FunkySwerve]

I don't think its so much GOG recycling CD Keys as the clown that posted a torrent some time back that had over 100 legitimate CD Keys that people had erroneously stored in online file repositories attached to personal websites thinking that was a safe way to store something.

 

One thing I've wondered, now that the master server authentication is gone, wouldn't it be possible to install the GOG version with the generic keys and then replace those keys with your own made-up multiplayer keys?

This is not an appropriate discussion for these boards. PM me if you don't understand why.

 

Funky

[FunkySwerve]

I have not, no. I've never dealt with them. (My copy of NWN is original release, as is each xpac)

 

Mostly I'm interested in finding some different manner of server security, preferably a password system.  So far my searches have yielded nothing.

I'll post ours, written by acaos, when I get home. It uses SIMTools. Are you running NWNX? If not, you'll have to do some tweaking to make it work with the bioware event.

 

Funky

[WhiteTiger]

This is NOT a problem. It's key to preventing serious ex^plo@its.

 

Funky

 

"key to preventing serious ex^plo@its"

 

It's relative if you are using the cdkey to prevent the "ex^plo@its". You can use Database / MySQL to preventing whatever. 

 

1.You can use a third party system with database to log into the game with passwords for each player.

2.The system made by Shadooow, which does not allow the creation of the character with a Bastard sword +20. Link

Modifié par WhiteTiger, 13 avril 2014 - 06:55 .

[henesua]

i think i don't fully understand how Funky's security system works or at least haven't fully grokked how someone can get around it because I didn't think a password system was necessary.

 

So the way I grasp this:

• you have a pair of IDs - player name and cd key - which are stored together
• each player can only use one player name at a time, and to switch you have to tell the system that you want to switch player names on next login
• if someone logs in with a CD Key and has the wrong player name or with a player name using the wrong CD key they are booted.

 

If this is how it works it seems to be fairly tight to me. The problem is that players need to be consistent with the player name they use.

 

• But I guess it might be possible for someone who merely wishes to cause harm to find out what a specific player's CD Key is. Is this the problem that password protection solves?
• Or is it that password protection enables a player to log in using any player name?
• Or did I get this all wrong?

[WhiteTiger]

• Or is it that password protection enables a player to log in using any player name?

 

Henesua,

 

The player need to create your account that contain login/pass and, after login, will be able login only with the username he created. If he try to login with different username, will be booted. 

 

OBS: The player need insert the password each time he try login again to module.

[FunkySwerve]

 

Depends. It's relative if you are using the cdkey to prevent the "exploits". You can use Database / MySQL to preventing whatever. 

 

But what kind of ex)plo^it protection you mean?

 

1.You can use a third party system with database to log into the game with passwords for each player.

2.The system made by Shadooow, which does not allow the creation of the character with a Bastard sword +20. Link

 

In my view, this is a problem for the players.

 

"If you like it, buy the game" they need to experience

 

I'm not going to elaborate on ex&pl@oits in a thread where you use the word searchably, sorry. Suffice to say, it does not depend. It's one part of a total security system, on the one hand, which absolutely should include a password system, as I note above. On the other, if you have multiple instances, it is completely indispensable.

 

Funky

[FunkySwerve]

 

i think i don't fully understand how Funky's security system works or at least haven't fully grokked how someone can get around it because I didn't think a password system was necessary.

 

So the way I grasp this:

• you have a pair of IDs - player name and cd key - which are stored together
• each player can only use one player name at a time, and to switch you have to tell the system that you want to switch player names on next login
• if someone logs in with a CD Key and has the wrong player name or with a player name using the wrong CD key they are booted.

 

If this is how it works it seems to be fairly tight to me. The problem is that players need to be consistent with the player name they use.

 

• But I guess it might be possible for someone who merely wishes to cause harm to find out what a specific player's CD Key is. Is this the problem that password protection solves?
• Or is it that password protection enables a player to log in using any player name?
• Or did I get this all wrong?

 

There is a way to get someone's cd key if you're not an admin, on which I will not elaborate. It's already possible to log in with anyone's playername, since the Gamespy passwording is no longer working, since they downwed the servers years back. CD keys, by their lonesome, are not completely secure, though the knowhow to circumvent them is exceedingly rare (1 person in 10 years, for us, and he gave acaos and I some difficulty, requriing a custom anti-crash plugin on top of this).

 

We link accounts to keys, and keys to passwords. This permits the establishment of a one-to-one relationship of key to account, and establishes a sort of digital fingerprint. It blocks other keys from accessing the account without permission, and further blocks non-password holders. It is a far better system than a password only system, though this is perhaps not obvious to someone who hasn't worked with them.

 

Password systems, to block as much as possible, need to lock out movement and non-password chat until the password is entered. Otherwise, the 'blocked' player can still wreak all kinds of havoc - especially if they're logged in with a key granting access to dm chat commands, for example. This is incredibly inconvenient for, for example, a player who crashes out during combat and needs to re-enter - they're frozen in place until they can type the pass, any likely to get splattered (plotting them is also not a good solution, but that's delving into minutiae of minutiae).

 

So, you want a dual-layer system, with cd key blocks for the vast majority of mundane blocking, and passwording for the more unusual cases (extremely skilled hackers and publicly-broadcasted cd keys).

 

Further, you probably do NOT want to require re-entry of a password on every login, just every server reset, assuming you're doing them fairly regularly, given inconveniences like the combat scenario listed above. We only require it on first login each reset per instance, resulting in much greater convenience to players at a minimal cost to security (0 reported issues with that approach in the last 4-5 years).

 

Funky

[FunkySwerve]

If you're going to ask a question:

 

And can we skip the step of checking CD-KEY? players can't login on module because have your CDKEYS duplicated and would be great to make the players enter in game without individual serial code.

It's not terribly good form to pretend to know the answer and argue with the person answering you:

 

 

Depends. It's relative if you are using the cdkey to prevent the "exploits". You can use Database / MySQL to preventing whatever. 

 

But what kind of ex.plo(it protection you mean?

 

1.You can use a third party system with database to log into the game with passwords for each player.

2.The system made by Shadooow, which does not allow the creation of the character with a Bastard sword +20. Link

 

In my view, this is a problem for the players.

 

"If you like it, buy the game" they need to experience

 

In point of fact, it's moderately annoying.

 

Funky

[WhiteTiger]

Funky, 

 

I do not care. You seem to be bossy.

 

EDITED: My answer to Vicent "How to protect PW Servers" is on 2ºpage.

Modifié par WhiteTiger, 11 avril 2014 - 03:54 .

[WhiteTiger]

Vincent07,

 

If you would like to find a good security system, you should do what I quoted above. And also how Shadooow quoted, you can make a database system that players can register on the site and there you put a button called "Enable Login" and then the player can log into your account once time.

 

But besides that, just the computer that clicked in the button "Enable Login" will be able to enter the game because we will do the checking by IP.

 

It is the best security system and simple.

 

--------------------------------------------------------

EDITED:

 

You should create a table called "logintable" with some fields for example:  name(of player), username, password, email.

 

Then you insert to site this:

 

 

TO CREATE ACCOUNT

INSERT INTO logintable SET name="#registerName", username="#registerUsername", password="#registerPW", email="#registerEmail";

 

WHEN CLICK ENABLE LOGIN

UPDATE logintable SET ip="#registerIP" WHERE username="#registerLogin";

 

 

SERVER-SIDE SCRIPT (On Client Enter)

 

//don't forget to check if your script have #aps_include on the top

 

object oPC = GetEnteringObject();

  if (!GetIsPC(oPC)) return;

    string sSQL = "SELECT username FROM logintable WHERE ip='" + GetPCIPAddress(oPC)+ "';";

    SQLExecDirect(sSQL);

    string sUserName = "";

    if (SQLFetch() != SQL_SUCCESS)

    {

        BootPC(oPC);

        return;

    }

[Vincent07]

I'll post ours, written by acaos, when I get home. It uses SIMTools. Are you running NWNX? If not, you'll have to do some tweaking to make it work with the bioware event.

 

Funky

 

We are using NWNX and an SQL database.  Though I know there's a lot of additions for NWNX that we do not use mostly as none of us have yet taken the time to understand them.  And we lack someone with any real SQL knowledge.

 

I understand NWScript enough that I was able to implement the CDKey security code you posted some time back, but not really do much else in that regard.

[henesua]

There is a way to get someone's cd key if you're not an admin, on which I will not elaborate.

Thanks. I needed to know if it was possible. I'm certainly not asking you to tell us how to do it. But I would like to know how often this happens. You seem to suggest later in your post that this is a very rare problem. Is that true?

[WhiteTiger]

 

I'm not going to elaborate on ex&pl@oits in a thread where you use the word searchably, sorry. 

 

Funky

 

Funky,

 

Stop, man.

Please, this is already getting bad. 

 

We all know it is you who is writing posts, stop putting "Funky" at the end. 

[Vincent07]

 

Vincent07,

 

If you would like to find a good security system, you should do what I quoted above. And also how Shadooow quoted, you can make a database system that players can register on the site and there you put a button called "Enable Login" and then the player can log into your account once time.

 

But besides that, just the computer that clicked in the button "Enable Login" will be able to enter the game because we will do the checking by IP.

 

It is the best security system and simple.

 

(Snipped code for length)

 

 

You mean on our site?  We use a proboards forum not connected really to our server host, which is the other admin.  So not really sure how I would even go about this.  Again, my knowledge of anything relating to SQL is next to nil.