Replies: 15 comments 49 replies
-
Phase 1 - Add crypto
This will be enabled by default, but servers can opt-out via a setting. Pros and cons
|
Beta Was this translation helpful? Give feedback.
-
Phase 2 - Multiple identities
Pros and cons
|
Beta Was this translation helpful? Give feedback.
-
Phase 3 - Access lists
The invite codes and access lists replaces passwords; the first can be considered a "temporary" password with the big difference that they are generated. Pros and cons
|
Beta Was this translation helpful? Give feedback.
-
Phase 4 - Friends list
Otherwise, you can only see if a player is active on the server you saw him on. Pros and cons
|
Beta Was this translation helpful? Give feedback.
-
Phase 5 - Store identity in the cloud (Optional)
Pros and cons
|
Beta Was this translation helpful? Give feedback.
-
rcon passwords are currently sent completely in the clear, not even lightly MD5 hashed like company passwords, this is probably more important than company passwords, as the whole server being compromised is much more significant than a company being compromised. Server passwords are also sent completely in the clear, but these tend to be fairly public anyway. Purely for informational purposes, I've already made some changes to password handling in my branch:
|
Beta Was this translation helpful? Give feedback.
-
If removing passwords solves the problem that when ever the server restarts and all companies loose the passwords. Then I am all for it. |
Beta Was this translation helpful? Give feedback.
-
It would gonna be like OpenRCT2's current state when this comes true and furthermore authorizations for joining server/companies might be automated via server's community website. |
Beta Was this translation helpful? Give feedback.
-
Hello, Thanks for doing the stream yesterday - and showing off GitHub. I hope I can get involved with the feedback you asked for where I can in the future. :) As I've run a server for over 5 years now, I feel this is a great place to start. We mainly place in a co-operative style, with a password to join the server but no password on companies. Overall I love this idea. But there are a few areas I wanted to give feedback on - as you asked for! In phase 3, you say 'A server-owner can gereate an invite code'. I would like to see the option for both one-time codes and codes that can be re-used like Discord server invites. It would save the effort of generating a code for each new member - allowing say 3-4 members to join with one code that can whitelist them on server setup or afterwards. Also in phase 3 'The owner can make his company public, allowing anyone to join'. As a co-op server owner, I preferably would rather have the option to disable the "Companies get an access list with roles" or have them public by default as they are - or as a hidden .cfg option server-side. However, I can - thinking about the majority of servers - see that having access lists in this fashion locked down by default for company would be great to prevent greifing/takeovers etc. Moving on from that, phase 3 sounds very much like a UI task to give server admins a control panel of sorts. I'd like to ask that the ability to promote a user to a server admin is added as part of this. I host using the dedicated server command line option and I think many others do as well. If there is a new UI with all these fancy features - I'm not sure just using "rcon " will be enough! Lastly, I've moved server host/computer about 3-4 times in the past few years. At the moment, I just copy over the .cfg - with passwords stored inside and host away. With the new accesslists - can a server host PC change be done just as easy? Sorry for all the spam feedback but I hope this helps the greater good! Love the idea now and looking forward to where it will go. 👍 |
Beta Was this translation helpful? Give feedback.
-
Maybe I don't understand something, but this idea doesn't seem quite cool and I don't think it will solve any of the problems relevant to me - it will rather dig some holes even more. I am writing from the player's point of view. However, I do have some concerns. |
Beta Was this translation helpful? Give feedback.
-
Maybe it will be better to use something like OpenTTD account? With registration by email and password. Like in other games. And if server admin bans player by IP and OpenTTD account, this player will not be able to easy reconnect by using VPN/Proxy. In that case player needs to create new account and join it in game. |
Beta Was this translation helpful? Give feedback.
-
And here we are, a year later and still discussing.
The game cannot be perfect guys, accept it. All games out there are hackable, starting with AAA titles. Sorry if my message seems "toned up" but this comes back from 2007. It can be read in the forums of OTTD. regards. On a side note: Devs: "I've given you this for free, you have no right to demand anything" Remember: Time is the only thing that's really yours in life. In fact, that's life. You exchange it for money at your job, you spend it even if you don't do anything meaningful with it. Time is the most precious-expensive thing, because it goes on and on, do what you do, it will flow and never come back. That makes it expensive. Both have their reasons, both are right in a way. |
Beta Was this translation helpful? Give feedback.
-
Glad to see all the progress made since 2005. |
Beta Was this translation helpful? Give feedback.
-
EDIT; I see why there was nothing in the changelog, there was no such change. Here is the weird thing: I was having problems with constant disconnections from the game coordinator, it was a DNS issue I had on my end. Now, don't ask me how or why, I could close the dedicated server, bring it back online (with this issue still taking place) and it kept all the passwords and the game was online. No idea how this glitch can be triggered with a dns connection problem to the game coordinator or why it worked and still show my game online or why/how did that make the server load the passwords for all players after closing it and re-launching it (did this many times to check). Well that's it. Its not like any developers here are interested in doing anything anyway. Bye |
Beta Was this translation helpful? Give feedback.
-
Permanent easy solution, 3 Letters; MFA. |
Beta Was this translation helpful? Give feedback.
-
With #8391, @Milek7 has shown we can with little code start our way to deprecating passwords for Multiplayer games.
Passwords in Multiplayer games always have been a bit of an issue, as people are crazy enough to use real passwords they use for other accounts too. Passwords in OpenTTD are not secure; they are send plain-text over the network, and server owners can easily read them from memory.
For a long time, people requested passwords are stored in savegames (#8303 as example); because we know people use passwords in OpenTTD they use for things like Facebook etc, we have always been against that.
Additionally, lately we have seen people getting into other people's company, most likely by brute-forcing the password. (#8339 as example).
With #8391, we are shown a way forward that completely removes the use of user-created passwords. This last week we have been talking back and forth to come to a small roadmap how we could introduce this. Before we continue to implement this, we would like to have your input on the matter.
Below are 5 phases we think can be walked in order to achieve this goal. Phase 1 is important, the other phases are both optional and can be done out-of-order. What I would like is to know if you see any problems with our ideas, or that for example with small changes we can make it more powerful to you and your use-case. Please either use the emoticons to us know what you think, or write a reply to explain your use-case and how you think we could improve the implementation
I am mostly looking at server-owners, as they might most benefit from this implementation.
Please let us know what you think! Really looking forward to feedback :)
Beta Was this translation helpful? Give feedback.
All reactions