New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Players report unauthorized clients joining passworded companies #8112
Comments
We experienced this once on a private server. Someone "accidentally" ended up in my company even though it was passworded with a reasonably strong password. At the time I assumed the person had somehow guessed it, but they said they had never tried to enter my company, they just "ended up in it". This was with JGR's patch pack. |
How recently was this? |
I forget the exact date, but I suspect it was around the beginning of March. I guess that means it was based on a beta version of 1.10.0 (since JGR tracks nightlies and not stable versions). |
We have talked on and off about this for a while, both in issues and on IRC. We have a hard time finding exactly what is going on .. if it is either brute-force, someone being lucky (by guessing the password), or a bug in the authorization (which we cannot find .. we looked at the code a few times now :P), we do not know. A bug seems unlikely, as it is too sparse for that (by the looks), but the alternatives are not likely either. However, we intend to remove passwords and replace it with something more secure (see #8420), but this has not been build yet. This will not be in 1.11, but hopefully it will come soon after. This will hopefully also resolve this issue .. at least if not, we can rule out brute-force and "being lucky". Either way, please keep us posted if this still happens and/or if it gets worse. |
FWIW: I'm building and running my own server since the April Fools Day release on Steam and made the following (unexpected) observation: The company passwords are lost when restarting the server, i.e. they are NOT stored in the exit.sav! (So if you cronjob'd your server to reboot every night at 3 am there is no brute-forcing going on, the companies are just unprotected then. Just a heads up.) |
This is likely 'working as designed'. I should finish that pubkey PR before next year... |
Company passwords are not stored in savegames, that's by design. When you save and reload a game in multiplayer, all companies start out without passwords. |
Thanks for the heads up 👍 - I believed I had somehow misconfigured the dedicated server.
I think that is a major problem - it kind of breaks the promise of having the possibility of running a semi-auto dedicated server somewhere in the cloud. (It also kinda subverts the otherwise fantastic If there are privacy issues because every client could save their game locally, too (and thus would also get to see their rival's passwords) -- I get that (*). However the problem isn't so much that the passwords aren't stored in the savegame - but that the passwords aren't stored anywhere at all (in a non-volatile manner)! I wouldn't mind e.g when they were stored in Motivation:I'm running my own Linux server somewhere on the interwebs and have openttd-dedicated running as a daemon on boot automatically. Oh yeah... almost - because now ALL THE COMPANIES OF MY FRIENDS ARE UNPROTECTED and can be mismanaged by trolls!! This makes a mockery of the I think this needs a fix asap -- I even wouldn't mind a stupid hack like a map in (*) at least somewhat - it's a made-up password for a virtual company in a video game! |
See the discussion in #8420, it's about this exact issue. |
@Sgt-Nukem Question: is your concern that your friends will troll each other, or that a random person will find your server and join a company? If it's the latter, you could set a server-wide password as a workaround. This is persisted across restarts. |
As we did not receive any more reports of this issue, I think a brute-force or a password leak of sorts are the most likely case. As mentioned earlier, we cannot find any issues code-wise that could explain this. If it resurfaces, and people know how to reproduce, please let us know. But given this was only reported for a short moment in time for a few isolated cases, we have little choice but to assume it was just that: isolated cases. Sorry :( |
Version of OpenTTD
1.10.1
Expected result
Passworded companies should only be joinable by clients with the correct password.
Actual result
A number of players on our Reddit OpenTTD network since 1.10.0 have been reporting that unauthorized clients (i.e those without their company password) have been joining their passworded companies. We started out by chalking this up to one or two weak passwords that they didn't want to admit to, but this has been happening with suspicious regularity (once or twice a week), and affected players maintain that their password is quite secure.
Steps to reproduce
None available at present. I've had net debug 2 set since this started happening, but there is nothing of any relevance in either the debug log or the admin port command logs).
Have any other servers been getting reports of this, or is it just us?
The text was updated successfully, but these errors were encountered: