|
| 1 | +# Changes regarding Protocol 668 |
| 2 | + |
| 3 | +With the release of Starbound protocol version 668, you may have noticed that |
| 4 | +the account/password system is no longer working. This is resulting from |
| 5 | +Chucklefish updating their authentication system. |
| 6 | + |
| 7 | +While this does break some of StarryPy's functionality, the solution is not to |
| 8 | +fix StarryPy, but instead to change how you think about 'authentication' in |
| 9 | +Starbound. |
| 10 | + |
| 11 | +For the impatient, please scroll down to the **Fixing the Problem** section for |
| 12 | +the cut-and dry solution. |
| 13 | + |
| 14 | + |
| 15 | +## Changes to **starbound.config** |
| 16 | + |
| 17 | +As @alex-lawson (aka - metadept) pointed out in the news post |
| 18 | +http://playstarbound.com/february-17-server-configuration-changes/ |
| 19 | +there were some changes in how **starbound.config** is structured. As a callout |
| 20 | +here, the changes are: |
| 21 | + |
| 22 | +``` |
| 23 | + "allowAnonymousConnections" : false, |
| 24 | + "allowAdminCommands" : true, |
| 25 | + "allowAdminCommandsFromAnyone" : false, |
| 26 | + "bannedIPs" : [ ], |
| 27 | + "bannedUuids" : [ ], |
| 28 | +
|
| 29 | +... |
| 30 | +
|
| 31 | + "serverUsers" : { |
| 32 | + "fred" : { |
| 33 | + "admin" : true, |
| 34 | + "password" : "hunter2" |
| 35 | + }, |
| 36 | + "george" : { |
| 37 | + "admin" : false, |
| 38 | + "password" : "swordfish" |
| 39 | + } |
| 40 | + }, |
| 41 | +``` |
| 42 | + |
| 43 | +In order to adapt this to StarryPy, we need to change the way we think about |
| 44 | +authentication. Previously, most servers would use a shared, public or shared, |
| 45 | +private password. This, combined with a UUID and a name would uniquely identify |
| 46 | +a character. The flaw with this system, however, was the assumption that a |
| 47 | +character's UUID would remain obfuscated from other users, ensuring uniqueness. |
| 48 | + |
| 49 | +This however, is by far, no longer the case as UUID numbers are now quite easy |
| 50 | +to collect, and thus to reuse and *'spoof'* other characters. Particularly for |
| 51 | +character's with administrative privileges, this was a concern that needed to be |
| 52 | +addressed. |
| 53 | + |
| 54 | +Enter git commit https://github.com/kharidiron/StarryPy/commit/c371ade0301be369c8f4c9baedcc5e9685fc8633 |
| 55 | +where I added an additional variable called `admin_ss` for tracking if an |
| 56 | +authenticated user also provided an additional *shared secret* password for |
| 57 | +accessing privileged functions. It was then, up to the server administrators to |
| 58 | +make sure their admins were informed of the shared secret. This would not |
| 59 | +prevent UUID spoofers from doing their spoofing, but it *WOULD* prevent them |
| 60 | +from being able to run admin commands. This sort of system is termed a 'dead |
| 61 | +man's switch'. |
| 62 | + |
| 63 | +Fast-forward to release of protocol 668, and now people entering the shared |
| 64 | +secret password are being greeted with 'No such account or incorrect password.' |
| 65 | + |
| 66 | +Now what were we to do? |
| 67 | + |
| 68 | +Originally I was starting to work out how to re-write the code to account for |
| 69 | +new user accounts, and access levels, and such... a minor headache, and some |
| 70 | +time debt to say the least. But then a user in the IRC channel |
| 71 | +(gandalfthecolorb) pointed out that no changes were actually needed. Instead, |
| 72 | +we need to just add an account to the Starbound server configuration to act as |
| 73 | +the collective 'rolls' for all the admin levels. An easy, and elegant solution |
| 74 | +that requires no changing of code on our end, and still maintains the same level |
| 75 | +of security for the servers. |
| 76 | + |
| 77 | +So, now on to fixing the problem. |
| 78 | + |
| 79 | + |
| 80 | +## Fixing the Problem |
| 81 | + |
| 82 | +#### tl;dr |
| 83 | + |
| 84 | +Using the same `admin_ss` password that users set before, along with whatever |
| 85 | +server password StarryPy owners want to ship, we simply need to update the |
| 86 | +starbound.config file to match: |
| 87 | + |
| 88 | +``` |
| 89 | + "serverUsers" : { |
| 90 | + "<admin_ss goes here>" : { |
| 91 | + "admin" : <can be true or false, per your needs>, |
| 92 | + "password" : "<either continue using your old password, or set a new one>" |
| 93 | + } |
| 94 | + } |
| 95 | +``` |
| 96 | + |
| 97 | +And that is it. If you choose to continue using a shared public password, you |
| 98 | +would need to add an additional section for this, and then provide all of your |
| 99 | +users with a generic 'account' to log into (from metadept's example, this would |
| 100 | +be *'guest'*). You would also need to be sure to set `allowAnonymousConnections` |
| 101 | +to `false` as well. |
| 102 | + |
| 103 | + |
| 104 | +#### An additional note regarding commands |
| 105 | + |
| 106 | +StarryPy can be configured to either block, or allow vanilla server commands, |
| 107 | +by changing the option `command_prefix` to something other than `/`. Some |
| 108 | +suggestions have been for `!` instead. This, on its own, does not enable the |
| 109 | +Starbound `/admin` commands, but conversely, can prevent you from using them if |
| 110 | +you leave the prefix in its default state. |
0 commit comments