On Sun, 31 Dec 2000, Brandon Allen wrote: [snip] > does anyone know how i would go about adding ssh to my mud? Short answer, duplicate the built-in telnet server while hacking in SSH source. It's certainly no small task, but the OpenSSH source is available from ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-2.3.0.tgz and mirrors or via ononymous CVS from anoncvs@anoncvs.usa.openbsd.org:/cvs and mirrors. > i want secure connections to my mud due to the face that we have MANNY > local players hooked DIRECTLY to the network here that play from time > to time. ( this is lanparty central ) the network is switched but i am > still freaked ... Justified paranoia indeed. Switched networking only keeps otherwise uninvolved hosts out of the session sniffing action, but does nothing against sniffing on potentially compromised servers, backbone routers or other intermediary hosts. To take that paranoia a bit farther, many SSH1 implementations can be susceptible to MITM attacks as seen by the endless fury of articles linked from slashdot in the past few weeks. > i dont want to switch the whole mud over to ssh just maby add another > socket to connect to / and or has anyone ever tryed to have more than > one open socket to there mud as this is where i must start to even > begin. and this socket is playable just like the 4000 ( stock socket) > socket? I would suggest against taking this route. Not only is there a daunting quantity of code to patch in, but you will have athentication and key-issuing to deal with (possibly store RSA or DSA public and private keys in the mud passwd file?). Then there's the constant patching. New patches to SSH/OpenSSH crop up monthly it seems. The constant bugfixes and security patches would need to be integrated into your mud source tree quite often. > anyone have any ideas. and am i the first person to bring this up. You are certainly not the only person to ask this. The archives should show that I asked it probably 8 months ago before I investigated the possibilities more thoroughly. One suggestion that was hinted at by another reply was to set up an SSH tunnel or proxy. I had something like that going for a while--a securmud user on the server whose default shell was "telnet localhost 4000". It was suggested that this was a problem for determining from what host a player was MUDding. Not really an issue if you coordinate your MUDlogs with sshd lines in the syslog. And players can be easily blocked with an ipchains/ipf/ipfw rule on the appropriate host or via hosts.deny if you compiled tcpwrappers support into sshd. I personally don't like the idea of having a passwordless account on a host on my network, so I abandoned this line of thought after a while. It shouldn't be an issue if you take host security seriously, are careful about how you compile and implemnent all involved apps and keep up on all vendor patches religiously. I just felt it was a kludge and that there must be a better way... Enter IPSec. I now have IPSec VPN support activated on my NAT and being tested. ShadowRealm is under development as a fetish MUD, and we'd like to promise complete anonymity and security to our players. IPSec clients are available for almost every desktop and server OS in use. Many are even free (beer) open source apps (OpenBSD IPSec, Linux FreeSWAN, et cetera). Seemed like the best option to me and required the least coding for the best security. Just my tuppence. -- ShadowRealm Management - http://mud.yuggoth.org -- +---------------------------------------------------------------+ | FAQ: http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html | | Archives: http://post.queensu.ca/listserv/wwwarch/circle.html | +---------------------------------------------------------------+
This archive was generated by hypermail 2b30 : 04/11/01 PDT