Difference between revisions of "Security"
imported>Maze m (Maze moved page Security and privacy to Security without leaving a redirect) |
(describe insecure mode with links) |
||
(7 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
+ | |||
This page describes the current status of security in AAGRINDER. | This page describes the current status of security in AAGRINDER. | ||
Line 9: | Line 10: | ||
this transmission will be encrypted. | this transmission will be encrypted. | ||
− | On the server, the password is hashed and salted using [https://www.npmjs.com/package/bcryptjs bcryptjs] and then saved in a [[ | + | On the server, the password is hashed and salted using [https://www.npmjs.com/package/bcryptjs bcryptjs] and then saved in a json file. The plaintext password does not persist in memory on neither the client nor the server. |
+ | |||
+ | Users can change their passwords by using the '''/passwd''' [[command list|command]] in-game. It is also possible to change the password with a direct [[AAGRINDER REST api|api call]]. In both cases, the current password is required in order to set a new one. | ||
+ | |||
+ | The server administrator can change any user's password using the '''passwd''' command in the [[server console]]. If you lost your current password, you should contact the server administrator. | ||
− | + | The server administrator is able to remove a password from an account, allowing this account to instantly log in without needing to type a password. This is recommended only for testing. | |
− | + | Older versions of AAGRINDER have an "insecure_mode" setting, which can be used to disable checking passwords. This setting was on [https://gitlab.com/MRAAGH/aagrinder/-/commit/bd503d736fcd120b4f2130d77839048c6dbb275d 8th July 2022] renamed to "check_passwords" and [https://gitlab.com/MRAAGH/aagrinder/-/commit/53940c37dd5d1f7b322e003450a365bda0f02a5e 6 days later] removed. | |
== Authorization == | == Authorization == | ||
Additional privileges may be granted to specific users at login. | Additional privileges may be granted to specific users at login. | ||
− | Among the in-game commands that get executed on the server, some are in the group of ''admin commands'', which prevents users from accessing these commands unless they have the ''admin'' role. The names of users with the admin role are specified in the file ''admins.txt'' in the server directory. This file needs to be edited manually | + | Among the in-game commands that get executed on the server, some are in the group of ''admin commands'', which prevents users from accessing these commands unless they have the ''admin'' role. The names of users with the admin role are specified in the file ''admins.txt'' in the server directory. This file needs to be edited manually and reloaded using the '''admin''' command in the [[server console]], or by [[Administration tips|restarting the server]]. |
− | |||
− | |||
− | + | Older versions of AAGRINDER have a ''/sudo'' command, which allows a user to run a command as any other user, and requires additional privileges (an entry in ''sudo.txt''). The ''/sudo'' command [https://gitlab.com/MRAAGH/aagrinder/-/commit/e89398ba2f59e5f84a601d87d5fe7dd8296612b1 was removed] on September 4, 2022. |
Latest revision as of 09:27, 8 July 2024
This page describes the current status of security in AAGRINDER.
Authentication[edit]
In AAGRINDER, users authenticate with their passwords. The password is chosen when the account is created and needs to be at least 1 character long. The password may contain any characters.
The password is transmitted to the server in plaintext. However, if you are using a https connection, this transmission will be encrypted.
On the server, the password is hashed and salted using bcryptjs and then saved in a json file. The plaintext password does not persist in memory on neither the client nor the server.
Users can change their passwords by using the /passwd command in-game. It is also possible to change the password with a direct api call. In both cases, the current password is required in order to set a new one.
The server administrator can change any user's password using the passwd command in the server console. If you lost your current password, you should contact the server administrator.
The server administrator is able to remove a password from an account, allowing this account to instantly log in without needing to type a password. This is recommended only for testing.
Older versions of AAGRINDER have an "insecure_mode" setting, which can be used to disable checking passwords. This setting was on 8th July 2022 renamed to "check_passwords" and 6 days later removed.
Authorization[edit]
Additional privileges may be granted to specific users at login.
Among the in-game commands that get executed on the server, some are in the group of admin commands, which prevents users from accessing these commands unless they have the admin role. The names of users with the admin role are specified in the file admins.txt in the server directory. This file needs to be edited manually and reloaded using the admin command in the server console, or by restarting the server.
Older versions of AAGRINDER have a /sudo command, which allows a user to run a command as any other user, and requires additional privileges (an entry in sudo.txt). The /sudo command was removed on September 4, 2022.