[EMAIL PROTECTED] writes: > This is a password authentication system > intended for a game server (a MUD/MMOG, in fact). The real limiting > factor here is that I want to keep the server accessible via pure > telnet protocol. Otherwise, using SSH would make sense.
If you're going to broadcast passwords in the clear over the network, that's a pretty big leak as well, that obscuring the stored server-side checksums won't help with. Will the game players use a special client program? If yes, use SRP (http://srp.stanford.edu). This has already been implemented in Python several times. > I had considered the hmac module. The thing that bugs me about it is > that I'd have to keep this secret key around someplace accessible to > the server. Most likely, this means storing it in a file. Yeah, this issue is traditionally a nuisance, especially if the server has to restart itself after a crash. If you start the server manually, you can type in a passphrase. -- http://mail.python.org/mailman/listinfo/python-list
