Hiya
I just downloaded Mangos to have a look through, I'm interested in how the authentication works.
As far as I can see, the login protocol functions like this:
- Client connects to realmd and authenticates using SRP6.
- As part of SRP6 the account both parties calculate the new session key, which realmd stores in the DB.
- Realmd passes the client a list of realms.
- The client disconnects from realmd and connects to a chosen mangosd server.
- The client sends a seed value (calculated for SRP6 earlier?) and mangosd verifies that they have both calculated the same session key (i.e. both know the password).
- All further communication between the client and mangosd is carried out by encrypting the packet headers using the session key, with the RC4 system.
- If the client logs out from a session, it reconnects to the realmd server using original session key to authenticate.
I've only had a quick look at the code, but as far as I can see that's right...
If anyone knows... what were to happen if a client bypasses the realmd server and authenticates directly with mangosd using it's previous session key? I can't see that the key is ever cleared in the DB, for example when an account is logged out, so I assume it would authenticate OK.
Is that an issue? Or is it unnecessary to use a new session key every time the client connects?
Any thoughts or help would really be appreciated
Cheers!
[Edit]
Also regarding key-length... the session key is 80 bits I believe? Is this secure for a symmetric algorithm like RC4?