Server Side Administration for 1.2

[FisherP]

roughly half your list is already in svn (roughly half of that was there long before lakitu7 started coding for trem). majority of the rest of it isn't that useful, and the few things that are useful are slowly being added.

You're refering to my list? I expect some of them to be in the svn, like I've said I checked the more popular ones. I spent about 1 hour before I went to work going through the list from the Lakitu's qvm.  Please feel free (from what you know already) to list out the items that you know are in the svn. I'll edit my post to reflect your comments.

@Syntac I expect that it wouldn't matter which Auth system we use it could only be as secure as say a php Auth system.
@Bissig, Even though OpenID might be a little excessive what's wrong with it?

[Amanieu]

The issue with your system is that the server owner knows the client's hash, and he can therefore use that hash on any other servers that the client has admin on.

[Archangel]

@Syntac I expect that it wouldn't matter which Auth system we use it could only be as secure as say a php Auth system.

sense: you make little

[FisherP]

The issue with your system is that the server owner knows the client's hash, and he can therefore use that hash on any other servers that the client has admin on.

Which is why I suggest that there's a central auth server

@archangel: php is an opensource system and it's authentication routines are used extensively in forum and other web applications. People have been raising concerns about security, and I just wish to point out that web pages often have authentication. What makes tremulous any different? What's so special about tremulous that it requires more security than the www.tremulous.net forums for example?

[gimhael]

As far as I know there is no PHP forum masterserver which manages the logins of all PHP forums.

[rotacak]

FisherP: Tremulous not need more security than forum. If someone will steel you acc, what happen? You lose all money from your bank? God no, you lose a nick! Really big tragedy.

When someone posted in this forum some ideas, then many replyes are "why is that idea bad" and "why don't do it" instead of "how to do it". I don't saw in this thread atleast one good argument why not central auth system. Player loss - no. Security - no. Too much work - no.
I see only good things. Your nick will be your on all servers - if only this will be benefit, I think it is a good idea.

[FisherP]

As far as I know there is no PHP forum masterserver which manages the logins of all PHP forums.

You are not thinking in parallels gimhael. The masterserver for a php forum such as this is the forum server. All usernames and authentication is done by the server that this forum is served from. The parallel of that in the tremulous game is the masterserver itself.

@rotacak: I would have to agree with you, it's not as if you're gunna lose the farm. However this idea won't get included without the buy-in of the development team. There's also another benefit rotacak, If you have problems with your computer and you lose your GUID it's easily restored if you know your username/password. There's no need to create a backup of it.

For the record I've never been fond of the whole GUID on the client idea, it's a good start, but it's a start and shouldn't ever be left at that. Please develop the GUID idea a bit more it should be used to protect the player, AND the server operator.

[Syntac]

Well, the problem with GUID-based authentication is that it's a client-side system. That makes it inherently insecure, although it really isn't intended for security as such; it's more like a token of sorts. (Although the ban system does use GUIDs, and that is insecure. Yes, I know it can also use IP addresses, but many people have dynamic ones.)

However, considering Tremulous's playerbase — mostly* kids/teenagers who wouldn't know a qkey file if one hit them in the head — it's good enough for now.

* Emphasis on "mostly". I'm not calling any of you guys kids/teenagers.

[Amanieu]

Here is a patch I made a long time ago that replaces GUIDs with a public key:
http://patches.mercenariesguild.net/index.php?do=details&task_id=133

Note: Do not use this code, it is outdated and has a security hole. It's just to give you an idea.