Opinion from Community

[trevius]

Quote:

Originally Posted by image

unfortunately I think more for the private route and everyone has their own registration. It is too easy to spoof being another client in this game to trust passing that data back and forth. I think people want the freedom of their own LS too..

With the ideas in my post, people could do either one separately or both at the same time. Having more options is more likely to get the best approval rate.

If there are issues with account security, then maybe they can be worked out. If it is so easy to spoof being another account, then I don't see how that wouldn't be a potential issue for any Login Server, private or Public. I am not sure how that would effect being able to use public accounts on a private server. If you are setting a password into the accounts table, you would have to know what that password was to be able to access that same account through the Private LS. I am talking about players setting their own passwords to their accounts while they are actually logged into the server through the Public LS. That should pretty much confirm that they do actually own that account. If there are security issues with that, then maybe they can be worked out somehow as well.

[image]

Unfortunately the password isn't used all the time to handle your authentication, that is my concern. It is part of how the EQ client works.

[trevius]

The password isn't used all of the time? I don't pretend to know exactly how the LS works, but I know the official public LS will never let you into your account if you enter the incorrect password. Try it a million times and you still won't get in. If you do, that is news to me and there needs to be a fix if possible for it, lol...

[image]

I don't want to elaborate but pretty much.

[Aergad]

Ok my two cents here...

That would mean ALL loginservers being connected to a central database with all accounts in it, HUGE security risk one person figures out how to get the info for the db and EVERYONES accounts and EVER private server is vulnerable.

That would be in no way different from just using the public LS. which the point of this is so that people do not HAVE to use it and can have autonomy.

while a launcher to choose a LS is an option.

I see no good comming of emabling all the loginservers access to all the other loginservers accounts other then some wannabee l33t hacker compromising EVERYONES accounts.

ontop of that some people dont WANT to be connected to the public ls at all there are many users of minilogin already. so obviously not everyone wants to be dependant on the current ls or have their server publicly connected to it.

[Aergad]

also setpass is for the account table for worldserver ONLY it isnt connected to the LS in any way

[trevius]

Aergad, did you read my post at all, or did you just not understand what I was talking about?

The old mini-login that is IP based uses the server's accounts table to authenticate, only it uses IP instead of any sort of password. That is the exact thing I am talking about that we could do with a new Private LS that could authenticate via passwords instead. It would run locally on the individual server's network (or even on the same server), and would have direct access to the accounts table for authentication exactly like the IP Mini-Login does now. It is a simple concept. It also has nothing at all to do with running some centralized account database, as that would be one of the worst security risks possible, LMAO. I don't think you quite understood what I was talking about. And yes, #setpass would set the password in the correct place for this idea to work.

Now, if there are some password authentication issues with Login Servers, then that is news to me. I couldn't come up with a good solution without knowing all of the details. But, I can't really imagine that the client would ever not send the password for authenticating unless there was a hack around it. And if there is a hack around it that compromises accounts, then I don't see what that has to do with this particular idea that doesn't also effect all Public and Private Login Servers already.

[image]

so you are saying they create a command to set their login password to be used on said private server which is the world server owner? Just making sure I understand.

[Aergad]

whati am saying is that the new minilogin doesnt touch the accounts table it uses login_accounts its two totally different forms of authentication

[Aergad]

the setpass command is used for the worldserver only for access to the web interface and telnet the two tables are apples and oranges the ls doesnt touch the accounts table and idealy the ls uses a seperate database entirely for the login accounts they dont interact worldserver handles all the interactions with accounts table so doing it how you said would make no sense

[trevius]

Quote:

Originally Posted by image

so you are saying they create a command to set their login password to be used on said private server which is the world server owner? Just making sure I understand.

Sorry, Image, I am not clear on what you are saying there.

Here is an example of what I think would work very well:

1. PlayerA logs into the Public Login Server with their account "player1" and connects to their favorite server.
2. If that server is up-to-date and configured to use the Public and Backup Private LS at the same time, they can enter the game on that server and type "#setpass mypassword". That will save "mypassword" in an MD5 hash into the accounts table for their account "player1".
3. They can then log out and exit EQ completely. And then change their eqhost.txt file to point to their Private LS for that particular server.
4. This time, they log into EQ and hit the Private LS for that server. When they log in, they use the account name "player1" still, but then they use the password "mypassword" that they set while they were on their public account.
5. Since the Private LS would have direct access to the accounts table (just like the IP based mini-login one does now), they would authenticate to that account and have access to their own characters from the Public account. Since they set the password while logged into their Public account, it verifies that they do own that account and should be just as secure as using the Public Login Server.

The only issue with this option is that a determined admin could crack the password that the user set in their accounts table if they wanted. So, it would be a good idea to use a different password from what they might use for other servers and for the Public LS. But, the MD5 should at least reduce the likeliness of admins snooping through passwords. If you are playing on a server where you trust the admins of it, this shouldn't be an issue at all anyway.

Does that make sense? I can picture it working perfectly like that, but it probably sounds a bit confusing.

[image]

I understand what you mean, if the login server were setup to use the same database as the world, yes.

[Cripp]

ok.. I didnt read the last few posts yet but heres my 2cents..

I think all we need to do is change the LSID for the accounts to either the lsid for your LS or isid for eqemu LS..

so like if your changing from eqemu LS to private, set the LSID to the same account to the private LS LSID.

shrug lol.

[Aergad]

ok butyour not listening here the LS doesnt TOUCH the account table what your talking about would require a total rewrite of how the ls works AND a rewrite of how world authenticates...

Ontop of that the lsacctid value wont match so world wont let the user in if they switch between loginservers each ls would assign its own loginserver id.

World is the only thing that touches the accounts table the login server runs off a different database

minilogin the official one doesnt even touch the account table look int he worldserver code worldserver handles the authentication minilogin jsut sends the ip to the worldserver

[KingMort]

Image keep up the good work I think you have a really good idea with this..

As you have seen in my other posts I think we need to take every step united and not split off into nothingness...... I do not think your idea will make the people disconnect themselves from each other in fact it would probably have the opposite effect...

It would again unite everyone as EQUALS in the community which in some ways... has not been done in years...

King