g00r00,

I had a question. I was writing some python code using PBKDF2 SHA512 hashing
to try to validate an out of Mystic typed password against the stored hash in the users.dat file.

Since PBKDF2 can be salted, it would be impossible to compare my hash against Mystic's hash. Also, I notice the hash is not the full length in the
users.dat file so I assume it's truncated.

Is there a way we could do a "mystic -uUSERNAME -pPASS -verify" type command with a return value that suggests whether the validation is successful?

My intent is to create matching user accounts for my upcoming website without requiring a separate password.

Thanks ahead of time!

|19|15ÚÄ|16|07´ |08De|07ad|15be|07a|08tz b|07b|15s
|07ÀÄÙÃÄ¿ |08:>.|12F|04sx |1221|08:|122|08/|12123|08.
|11þ |07À|19|15Ä|16|07Ù |08:>.|10A|02gn |1046|08:|101|08/|10123|08.
|12 |15A|07n|08al|07o|15g |08:>.|13F|05dn |131|08:|13305|08/|132|08.
|08:>.|15S|08ci |1577|08:|151|08/|15131|08.

--- Mystic BBS v1.12 A43 2019/03/02 (Linux/64)
* Origin: The Bottomless Abyss BBS * bbs.bottomlessabyss.net (10:102/3)

Since PBKDF2 can be salted, it would be impossible to compare my hash against Mystic's hash. Also, I notice the hash is not the full length in the users.dat file so I assume it's truncated.

Its a full 512-bit hash, its just stored as binary. Its also salted as you mentioned.

Is there a way we could do a "mystic -uUSERNAME -pPASS -verify" type command with a return value that suggests whether the validation is successful?

Yeah maybe we can do something like that. I am hesitant to allow a password in cleartext on the command line though and I'd be interested in what other
people think about allowing that.

I do realize that the password is already allowed on command prompt though for auto executing scripts from command line, so maybe I'm just overthinking it.

--- Mystic BBS v1.12 A43 2019/03/03 (Windows/32)
* Origin: --[!dreamland BBS bbs.dreamlandbbs.org (10:101/32)

Yeah maybe we can do something like that. I am hesitant to allow a password in cleartext on the command line though and I'd be interested
in what other people think about allowing that.

I'd be strongly in favor of making the password entry interactive so it
doesn't get saved into bash history in cleartext :)

--- Mystic BBS v1.12 A44 2020/01/16 (Linux/64)
* Origin: monterey bbs (10:101/13)

Its a full 512-bit hash, its just stored as binary. Its also salted as you mentioned.

Ah, didn't think of that in my quick test.

Yeah maybe we can do something like that. I am hesitant to allow a password in cleartext on the command line though and I'd be interested
in what other people think about allowing that.

I wouldn't know any other way to do this since you would otherwise have to be inside a mystic session to issue a user/pass combo. I get the vulnerability issue too. Allowing command line cleartext password checking is a brute force mechanism too. Not so much a risk on BBSing but just bad practice in general. Since I was going to call this function from a non-interactive session on my webserver back end, it wouldn't be saved in bash history or show up to a
user. Still a cleartext check though.

But then thinking about it, telnet itself is cleartext and unencrypted so I guess that supersedes putting too much thought into it! :)

|19|15ÚÄ|16|07´ |08De|07ad|15be|07a|08tz b|07b|15s
|07ÀÄÙÃÄ¿ |08:>.|12F|04sx |1221|08:|122|08/|12123|08.
|11þ |07À|19|15Ä|16|07Ù |08:>.|10A|02gn |1046|08:|101|08/|10123|08.
|12 |15A|07n|08al|07o|15g |08:>.|13F|05dn |131|08:|13305|08/|132|08.
|08:>.|15S|08ci |1577|08:|151|08/|15131|08.

--- Mystic BBS v1.12 A43 2019/03/02 (Linux/64)
* Origin: The Bottomless Abyss BBS * bbs.bottomlessabyss.net (10:102/3)

Yeah maybe we can do something like that. I am hesitant to allow a password in cleartext on the command line though and I'd be intereste in what other people think about allowing that.

I'd be strongly in favor of making the password entry interactive so it doesn't get saved into bash history in cleartext :)

Do you mean using something like AES256 (or any two way encryption) instead of a password hash? Or do you mean expose how the password is hashed and stored so that someone else can calculate the hash and compare it?

Obviously the latter would help as long as someone had the code and understanding to do a variable iteration SHA512 PBDKDF2 but at the risk of allowing people to actually do that to check passwords.

Sorry I am thinking through this as I type it lol. I probably should just document the latter. The point is not to expose or store passwords and so exposing how its stored doesn't really change the end goal.

--- Mystic BBS v1.12 A43 2019/03/03 (Windows/32)
* Origin: --[!dreamland BBS bbs.dreamlandbbs.org (10:101/32)

But then thinking about it, telnet itself is cleartext and unencrypted
so I guess that supersedes putting too much thought into it! :)

True, but if you really wanted to lock down a BBS, Mystic does allow for it.

Passwords are 512-bit PBDKDF2, sessions can be SSH, Mystic will also AES-256 encrypt Netmail and it has SSL BINKP too (although that might be broken currently its only sending public cleartext content anyway).

So yeah generally BBSes are not secure, but I do want to make decisions that aren't bad for security at the same time.

But it all comes back to me already allowing the password on the command line t execute MPL and Python scripts from CLI - so what the hell am I talking about.

Let me look at the password stuff and see if it makes sense for me to expose the storage and give people a way to calculate the hashes for comparisons.

--- Mystic BBS v1.12 A43 2019/03/03 (Windows/32)
* Origin: --[!dreamland BBS bbs.dreamlandbbs.org (10:101/32)

on 24 Jan 2020, ryan said...

I'd be strongly in favor of making the password entry interactive so it doesn't get saved into bash history in cleartext :)

This!

|08j |15A C K |08p |15H L A S H |08!

--- Mystic BBS v1.12 A43 2019/03/03 (Windows/32)
* Origin: d i s t o r t i o n // d1st.org (10:102/7)

on 25 Jan 2020, g00r00 said...

Do you mean using something like AES256 (or any two way encryption) instead of a password hash? Or do you mean expose how the password is hashed and stored so that someone else can calculate the hash and
compare it?

I think it just meant pop up a password prompt when using a command line
option that requires a password. Obviously people using the command line parameters for automation would need to find a way to input the password, but at least there are some options there.

|08j |15A C K |08p |15H L A S H |08!

--- Mystic BBS v1.12 A43 2019/03/03 (Windows/32)
* Origin: d i s t o r t i o n // d1st.org (10:102/7)

True, but if you really wanted to lock down a BBS, Mystic does allow for it.

Yes, these features are great. One thing I'd like with this discussion on passwords it to allow for some way to validate a user's credentials via Mystic's users.dat as a tie-in to my website. I'm all for making them
download things from the BBS, but I also like integrating new technologies
with the experience.

Now off the cuff, if Mystic's python had a feature to check a password for a given user name, I could make that work just fine.
Something like:

bbs.validatepassword(userID/Name, "password") - Return True/False

Then I could write a connector in Python to listen for these calls from a Django webservice. Of course I'm being selfish here and I doubt anyone else needs this feature. But ideas are ideas. :)

If you think of something interesting and easy enough to allow external user/pass validation, that would be awesome.

Otherwise, don't listen to me :)

|19|15ÚÄ|16|07´ |08De|07ad|15be|07a|08tz b|07b|15s
|07ÀÄÙÃÄ¿ |08:>.|12F|04sx |1221|08:|122|08/|12123|08.
|11þ |07À|19|15Ä|16|07Ù |08:>.|10A|02gn |1046|08:|101|08/|10123|08.
|12 |15A|07n|08al|07o|15g |08:>.|13F|05dn |131|08:|13305|08/|132|08.
|08:>.|15S|08ci |1577|08:|151|08/|15131|08.

--- Mystic BBS v1.12 A43 2019/03/02 (Linux/64)
* Origin: The Bottomless Abyss BBS * bbs.bottomlessabyss.net (10:102/3)

Yes, these features are great. One thing I'd like with this discussion on passwords it to allow for some way to validate a user's credentials via Mystic's users.dat as a tie-in to my website. I'm all for making them download things from the BBS, but I also like integrating new
technologies with the experience.

I have thought about this a bit before I redid the passwords. One of the ideas that I came up with was that I could make a REST server that has a function where you could POST to it and get a true/false response to validate the password.

This could be a start of something that would eventually establish a session and open up other API calls for various BBS functions. Grymmjack and I were talkin about this many many years ago but it never got started (mostly because there isn't much of a reason for me to focus on it if there isn't anyone on
the web side creating a web application that needs it).

Anyway, the way I imagined it was that the website would post a SHA512 hash of the password to the service (so no cleartext is passed and we're not relying only on SSL to guard the data). Mystic would take that SHA512 hash and salt it and put it through its PBKDF2 process in order to figure if its legit and then return the true/false response. So basically the first iteration is done on the webapp and sent over, then confirmed by the REST service.

I could also do a command line version of that too like if you ran:

mystic -checkpw <sha512 hash of their password>

Mystic would just print "true" or "false" and exit or something based on if
its real, or it could pop up a prompt to allow the user to type their password eventually resulting in the same "true" or "false". That avoids the cleartext issue as long as the application running the command can do a SHA512 hash

Let me know if any of this stuff works or makes sense for you. I'm totally down on getting stuff going if there are actually people who want to make web-based integration. The only reason it hasn't been done is because I never found my "Grymmjack 2.0" who was willing to work on web stuff and had the skills to do it.

--- Mystic BBS v1.12 A43 2019/03/03 (Windows/32)
* Origin: --[!dreamland BBS bbs.dreamlandbbs.org (10:101/32)

On 26 Jan 2020, g00r00 said the following...

I have thought about this a bit before I redid the passwords. One of
the ideas that I came up with was that I could make a REST server that
has a function where you could POST to it and get a true/false response
to validate the password.

I would love to work on a web app that could communicate with your REST
server.

Anyway, the way I imagined it was that the website would post a SHA512 hash of the password to the service (so no cleartext is passed and we're not relying only on SSL to guard the data). Mystic would take that
SHA512 hash and salt it and put it through its PBKDF2 process in order
to figure if its legit and then return the true/false response. So basically the first iteration is done on the webapp and sent over, then confirmed by the REST service.

This sounds easy enough. There's a bunch of great JS libraries out there
that have SHA512 hash functions. Looking forward to it if it's made available to test.

|15=|11=|10=|02========================|02=|10=|11=|15=
|14¯ |15Smooth|03 (|11Chingon BBS|03)
^ B7 ^ Legacy ^ Impure |15=|11=|10=|02========================|02=|10=|11=|15= |08¯ |07v|15iva|07l|15a |07r|15aza|14! |07¢|15rale |07h|15omie|14!

--- Mystic BBS v1.12 A43 2019/03/02 (Linux/64)
* Origin: Chingon BBS >> Orale Homie! << Covina, CA (10:101/24)