AbiathRPC server operators can allow users to authenticate by password or VeriMaps certificate. The VeriMaps certificates themselves are never seen by the server, but servers did store the plaintext passwords. Today I made the password authentication system using hashing, so people's passwords aren't on disk. This has the added advantage of stopping bizarre characters in new passwords from breaking the configuration file.
Server operators can still easily give people initial passwords; there's a PasswordIsHashed field that determines whether the user record's password field should be considered a hash instead of a plaintext. A plaintext will be automatically hashed at startup.
No comments:
Post a Comment