Paul Rubin wrote: > [EMAIL PROTECTED] writes: > > I had considered the hmac module. The thing that bugs me about it is > > that I'd have to keep this secret key around someplace accessible to > > the server. Most likely, this means storing it in a file. > > Yeah, this issue is traditionally a nuisance, especially if the server > has to restart itself after a crash. If you start the server > manually, you can type in a passphrase.
Ah, yes, I see I failed to mention that I would like the server to at least try and restart itself after a crash. Hence, my earlier apprehension at using a stored secret key. I realize that having the players communicate with the server via plain telnet is a huge security hole. For a commercial server, I'd probably do things differently, but, again, for a free game server, the idea is to allow players with ordinary telnet or MUD clients to connect without problems. My goal is to keep user passwords as safe as possible, assuming someone did decide to steal the password files. I'm willing to punt versus attacks that will intercept the password between the player and the server in order to allow the player to connect with a non-custom client. This requirement might evolve in the future, but, for now, that's how I'm envisioning things. -- http://mail.python.org/mailman/listinfo/python-list
