This wiki is archived and useful information is being migrated to the main bzflag.org website
Difference between revisions of "Strong Authentication"
m (add category) |
|||
| (3 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
| + | {{IdeaDesign}} | ||
| + | |||
| + | {|style="width:100%;margin-top:+1em;background-color:#FF0000;border:1px solid #ccc;" | ||
| + | |<div style="font-size:162%">'''Kerberos authentication was rejected as an implementation system as overly complex with no real benefit over the token system, this document is kept for historical reasons.'''</div> | ||
| + | |} | ||
| + | |||
| + | |||
| + | |||
To use strong auhentication on bzflag an infrastructure based on kerberos should be put in place. | To use strong auhentication on bzflag an infrastructure based on kerberos should be put in place. | ||
| Line 4: | Line 12: | ||
So you should write a /etc/krb5.conf on Unix or krb5.ini on windows, with the following content: | So you should write a /etc/krb5.conf on Unix or krb5.ini on windows, with the following content: | ||
| − | + | [realms] | |
| − | [realms] | + | BZFLAG.ORG = { |
| − | + | kdc = bryjen.bzflag.org | |
| − | + | admin_server = bryen.bzflag.org | |
| − | + | } | |
| − | + | ||
| − | + | ||
This is temporary and will be changed whenever we decide on where to put it. | This is temporary and will be changed whenever we decide on where to put it. | ||
| − | On the kerberos database should be created one principal (kerberos user) for any client and one principal for any server that should | + | On the kerberos database should be created one principal (kerberos user) for any client and one principal for any server that should participate. |
| − | + | * Server principal name should be #port/publicaddr@BZFLAG.ORG (like 5154/bzflag0.gamesunited.de@BZFLAG.ORG) | |
| − | + | * Client principal name should be clientName@BZFLAG.ORG (like c3po@BZFLAG.ORG) | |
When starting a public server it will try to authenticate using the value given in -port -publicaddr and -password | When starting a public server it will try to authenticate using the value given in -port -publicaddr and -password | ||
| Line 22: | Line 29: | ||
When starting a client, it will authenticate to the server if the bzdb variable: username & password are defined (in the bzfs config file). So write the following lines on your config: | When starting a client, it will authenticate to the server if the bzdb variable: username & password are defined (in the bzfs config file). So write the following lines on your config: | ||
| − | + | set username yourName | |
| − | set username yourName | + | |
| − | + | set password yourSecret | |
| − | set password yourSecret | + | |
| − | + | ||
If credentials are unmatched, you will be still logged as an untrusted user. | If credentials are unmatched, you will be still logged as an untrusted user. | ||
| − | |||
| − | |||
Latest revision as of 08:28, 10 February 2013
|
This page contains a design document for an possible enhancement or feature. It is a work of collaborative design and has not been accepted as a development goal at this time. The final implmented feature if any may differ from the information on this page. If you are not part of the development or design group, please post comments and suggestions on the talk page and not in the middle of the design. |
Kerberos authentication was rejected as an implementation system as overly complex with no real benefit over the token system, this document is kept for historical reasons.
|
To use strong auhentication on bzflag an infrastructure based on kerberos should be put in place.
kdc: is the kerberos Key Distribution Center, part of the mit-kerberos5 distribution. It should be unique, possibly with a slave configured, and for bzflag to work it should be configured to serve the realm BZFLAG.ORG . Your system needs to know where KDC is. So you should write a /etc/krb5.conf on Unix or krb5.ini on windows, with the following content:
[realms]
BZFLAG.ORG = {
kdc = bryjen.bzflag.org
admin_server = bryen.bzflag.org
}
This is temporary and will be changed whenever we decide on where to put it.
On the kerberos database should be created one principal (kerberos user) for any client and one principal for any server that should participate.
- Server principal name should be #port/publicaddr@BZFLAG.ORG (like 5154/bzflag0.gamesunited.de@BZFLAG.ORG)
- Client principal name should be clientName@BZFLAG.ORG (like c3po@BZFLAG.ORG)
When starting a public server it will try to authenticate using the value given in -port -publicaddr and -password
When starting a client, it will authenticate to the server if the bzdb variable: username & password are defined (in the bzfs config file). So write the following lines on your config:
set username yourName set password yourSecret
If credentials are unmatched, you will be still logged as an untrusted user.
