Stunt / Improvise - passkeys?

2 views
Skip to first unread message

Kevin Melillo

unread,
May 25, 2013, 1:27:12 PM5/25/13
to MOO-...@googlegroups.com
I downloaded, and compiled Stunt and Improvise, compiled, and ran it just fine....  But I can not log into it.

I see the docs mention that the console log should display the passkeys for the 2 default users...  but all I see is errors telling me that the passkey system is insecure...

May 25 17:20:49: > WARNING: Log-in via passkey is enabled for the following players (specified in $passkey_players):
May 25 17:20:49: > WARNING:   "Wizard" (#5)
May 25 17:20:49: > WARNING:   "Programmer" (#6)
May 25 17:20:49: > WARNING: This is a severe security vulnerability.  In a secure environment you should:
May 25 17:20:49: > WARNING:   disable passkey login:
May 25 17:20:49: > WARNING:     ; $disable_passkey_login = 1
May 25 17:20:49: > WARNING:     ; $passkey_players = {}
May 25 17:20:49: > WARNING:   disable existing passkeys:
May 25 17:20:49: > WARNING:     ; #5.passkey = 0
May 25 17:20:49: > WARNING:     ; #6.passkey = 0
May 25 17:20:49: > WARNING:   and for good measure:
May 25 17:20:49: > WARNING:     ; set_player_flag(#5, 0)
May 25 17:20:49: > WARNING:     ; set_player_flag(#6, 0)

Is there something specific that needs to be done in order to get the passkeys?

Thanks.

Todd Sundsted

unread,
May 25, 2013, 2:58:32 PM5/25/13
to MOO Talk
Yes! You caught me right in the middle of making changes. I haven't
updated the documentation yet.

The directions on the Stunt website (http://stunt.io/) are currently
correct. The documentation in GitHub (for Improvise) is currently
incorrect (but will be fixed shortly).

Bottom line, rather than the server generating passkeys, it now
expects the passkeys for the two initial players (if they are enabled)
to be set via environment variables.

So, before starting the server, do something (from the shell prompt)
like:

export Stunt_Passkey_Wizard=<the Wizard's (#5) passkey>
export Stunt_Passkey_Programmer=<the Programmer's (#6) passkey>

./moo Database.db Database.db.new port ...

When you connect to the server, type "connect " + the appropriate
passkey:

connect <the Wizard's (#5) passkey>

Passkey's in general do not offer great security because the
credentials are effectively available in plaintext form (thus the
warning). The expectation is that this is acceptable for developing
with Stunt, but you will probably want a more secure system
eventually.

Make sense?

Thanks for reaching out!
Todd

Todd Sundsted

unread,
May 25, 2013, 3:27:15 PM5/25/13
to MOO Talk
I did a quick update to the Improvise README.

Todd

Kevin Melillo

unread,
May 25, 2013, 10:34:45 PM5/25/13
to MOO-...@googlegroups.com
Thank you.  That did the trick.  I exported the variables, and was able to connect.  

Another quick question if I may...  Is the Improvise database similar to minimal?  When I logged in, there was basically nothing, no first room, no verbs...  If so, not a problem, at least I know where to start...  if not...  what am I doing wrong?

Todd Sundsted

unread,
May 26, 2013, 8:23:41 AM5/26/13
to MOO Talk
Kevin,

From a virtual reality standpoint, that's pretty accurate. There are
actually 100+ objects in Improvise.db, but many/most of them are
focused on infrastructure (the web server, the templating library, the
plastic parser, utility verbs/objects). Building the VR is the fun
part -- I didn't want to take all the fun :-)

Todd
Reply all
Reply to author
Forward
0 new messages