View Single Post
Old 01-21-2004, 11:53 PM  
Mouton
Posse Member
 
Join Date: Dec 2002
Posts: 1,956
Default How to secure !invite

Not that good an idea to ask users to send plain-text passwords to a sitebot, especially on networks with no service... anybody can get your sitebot nick while it's down, and then, all your users will pm the evil guy all their passwords...
uncool, to say the least.

[FTP_Custom_Commands]
ircinvite = TCL ..\scripts\enc_pwd.itcl

enc_pwd.itcl:
Code:
proc encpwd {} {
    global args user
    set encpwd [sha1 $args]
    iputs "Use this to invite yourself from IRC:"
    iputs " /msg your_bot_name_here !invite $user $encpwd"
}
encpwd
Usage: Users log in FTP. SITE IRCINVITE <their_pwd> and they get the line they must use on IRC to invite themselves.

Example:
Quote:
[23:46:15] [L] site ircinvite ioFTPD
[23:46:16] [L] 200-Use this to invite yourself from IRC:
[23:46:16] [L] 200- /msg Botgbb !invite Mouton 6045b1757913f659b210fceb4f2746d74d4d6b32
[23:46:16] [L] 200 Command successful.
Your bot receive the encrypted password, and either open the userfile itself (bad idea cause shared db and other userfile modules wouldn't be compatible) or it exec an external script that fetch the pwd from ioFTPD shared memory and compare and return true or false.

So all that ur missing now is a .exe that would check a password from ioFTPD shmem: set status [catch { exec some.exe passwd $user $pass} result]
and sitebot would invite or not the user depending on the result.

I already added that in my branch of ioB. I can give code to Harm for next public ioB version, and to WarC if he wants to include a new 'passwd' option to ioA. Anyone who wants to code it himself, I'll be happy to answer any interrogation u might have on getting the pwd from shmem (datacopy.cpp included in ioFTPD packages is a very good start to open and fetch stuff from shmem userfiles).
Mouton is offline   Reply With Quote