Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Players report unauthorized clients joining passworded companies #8112

Open
duckfullstop opened this issue May 5, 2020 · 4 comments
Open

Players report unauthorized clients joining passworded companies #8112

duckfullstop opened this issue May 5, 2020 · 4 comments

Comments

@duckfullstop
Copy link
Contributor

@duckfullstop duckfullstop commented May 5, 2020

Version of OpenTTD

1.10.1

Expected result

Passworded companies should only be joinable by clients with the correct password.

Actual result

A number of players on our Reddit OpenTTD network since 1.10.0 have been reporting that unauthorized clients (i.e those without their company password) have been joining their passworded companies. We started out by chalking this up to one or two weak passwords that they didn't want to admit to, but this has been happening with suspicious regularity (once or twice a week), and affected players maintain that their password is quite secure.

Steps to reproduce

None available at present. I've had net debug 2 set since this started happening, but there is nothing of any relevance in either the debug log or the admin port command logs).

Have any other servers been getting reports of this, or is it just us?

@embeddedt
Copy link
Contributor

@embeddedt embeddedt commented May 5, 2020

We experienced this once on a private server. Someone "accidentally" ended up in my company even though it was passworded with a reasonably strong password. At the time I assumed the person had somehow guessed it, but they said they had never tried to enter my company, they just "ended up in it".

This was with JGR's patch pack.

@duckfullstop
Copy link
Contributor Author

@duckfullstop duckfullstop commented May 5, 2020

We experienced this once on a private server. Someone "accidentally" ended up in my company even though it was passworded with a reasonably strong password. At the time I assumed the person had somehow guessed it, but they said they had never tried to enter my company, they just "ended up in it".

This was with JGR's patch pack.

How recently was this?

@embeddedt
Copy link
Contributor

@embeddedt embeddedt commented May 5, 2020

I forget the exact date, but I suspect it was around the beginning of March. I guess that means it was based on a beta version of 1.10.0 (since JGR tracks nightlies and not stable versions).

@TrueBrain
Copy link
Member

@TrueBrain TrueBrain commented Jan 1, 2021

We have talked on and off about this for a while, both in issues and on IRC. We have a hard time finding exactly what is going on .. if it is either brute-force, someone being lucky (by guessing the password), or a bug in the authorization (which we cannot find .. we looked at the code a few times now :P), we do not know. A bug seems unlikely, as it is too sparse for that (by the looks), but the alternatives are not likely either.

However, we intend to remove passwords and replace it with something more secure (see #8420), but this has not been build yet. This will not be in 1.11, but hopefully it will come soon after. This will hopefully also resolve this issue .. at least if not, we can rule out brute-force and "being lucky".

Either way, please keep us posted if this still happens and/or if it gets worse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants