1 (edited by afflux 2008-10-24 21:41:00)

Topic: [MOD] real RCON - with gnuTLS security

Hi,

this is a mod for a real remote console, which means: no need to start up the game to control your dedicated server.
It's using gnutls for server side encryption. If you don't know how to set this up, don't waste your time here - this is not intended to be user/idiot-friendly.

Config vars:

sv_rr_port -- the port for your remote console (see below explanation), default is 5556
sv_rr_maxcon -- maximum number of connections allowed, default is 5
sv_rr_sslkey -- path to your x509 private key in PEM format, defaults to ""
sv_rr_sslcert -- path to your x509 public certificate in PEM format, defaults to ""
sv_rr_sslca -- path to a CA you trust for signing client certificates (most people will want their own here), defaults to ""
sv_rr_sslcacrl -- path to the certificate revocation list (CRL) of the above CA, may be omitted, defaults to ""

Using:
Once the server is started up you should see a line like:

[48e8f598][rrcon]: Server ready. Listening to port 5556

Now you can connect to that port. I currently use socat (Linux), but any other SSL capable plain TCP/IP "client" will do.

$ socat - SSL:$IP:$PORT,cert=$YOUR_CLIENT_CERTIFICATE,key=$YOUR_PRIVATE_KEY,cafile=$PATH_TO_SERVERS_CA

IP/PORT is self-explanatory
YOUR_CLIENT_CERTIFICATE is the client certificate that will be used for encryption and verification
!!important: the CA from the server's configuration has to be the issuer of the above certificate!!
YOUR_PRIVATE_KEY is the private key for the above certificate
PATH_TO_SERVERS_CA is the CA that signed the server's certificate

Now you have to enter your sv_rcon_password and the server should answer with "authentication successful".
Now you have full rcon access to your server.

http://k.pentabarf.de/teeworlds-0.4.3-rrcon.patch
Apply with patch -p1.

Though testing went quite well, I don't think I could wipe out all sources of segfaults (duh!) so use at your own risk. When you build the server, please build the debug version (bam server_debug) to be able to provide backtraces just in case.

Sorry for my bad English, I'm a dumbass from Germany who says "fuck school!!111" and does not give a damn about readability in public forums.

2

Re: [MOD] real RCON - with gnuTLS security

Great idea, but i dont think lot of people will use it, since some of them have problems at setting up their own server neutral and segfaults are quite bad. thx for your effforts wink

We will meet again when the flowers spread their glorious scent of victory and the birds sing us the melody of justice...

3 (edited by TuX. 2008-10-24 00:14:42)

Re: [MOD] real RCON - with gnuTLS security

Hi,

that´s excactly what I was looking for. Unfortunately the patch file does not work at Linux.

root@xxxxxxx:/home/teeworlds/source/teeworlds-0.4.3-src# patch -p1 < teeworlds-0.4.3-rrcon.patch
patching file default.bam
patch: **** malformed patch at line 12: diff -pruN b.orig/src/engine/e_config_variables.h teeworlds-0.4.3-src/src/engine/e_config_variables.h

Could you please fix that?

4

Re: [MOD] real RCON - with gnuTLS security

That's a really nice idea! I've always felt that starting the game is unnecessary to change maybe just one simple line. Your solution isn't something for everyone, but then everyone doesn't have to be lazy. smile

The proposition "I am the center" need never be uttered. It is the assumption upon which all certainty and all doubt turns.

5 (edited by Magnet 2008-10-24 11:33:35)

Re: [MOD] real RCON - with gnuTLS security

Golvmopp wrote:

That's a really nice idea! I've always felt that starting the game is unnecessary to change maybe just one simple line. Your solution isn't something for everyone, but then everyone doesn't have to be lazy. smile

I love it because this way when we have clanwars and my server is full, I can remotely kick players and set a password so we can enter our own damn server. It should make it to the standard distribution imho. Also there have been server admins kicked/banned through votes on their own servers (heh Mr_Q); I don't know if it can happen with the upcoming official voting system but something has to be done to allow them to remove bans.

6

Re: [MOD] real RCON - with gnuTLS security

Can you create version for windows?

Goodbye all. Account inactive since March 2011.

7 (edited by afflux 2008-10-24 21:39:23)

Re: [MOD] real RCON - with gnuTLS security

khubajsn wrote:

Can you create version for windows?

No, I can't.

@TuX.: as I responded to your mail, I re-rolled the patch to the same link, it should work now. If not please ping me, preferably per mail.

Sorry for my bad English, I'm a dumbass from Germany who says "fuck school!!111" and does not give a damn about readability in public forums.

8

Re: [MOD] real RCON - with gnuTLS security

Thank you very much!
I'm going to try this today. If it works as expected I'm going to write a server configurator in PHP which monitors the server and allows config changing. When changing config the settings can be applied to the running server and to the config file simultanously. Hope I find the time wink
Temporary config changes are bad when the server has to be restarted for any reason or if there is an unexpected error: All changes are lost. Also you have to block a server slot by joining the server for changes or use the config file but than you have to restart the server...

@Developers: Please insert this patch in 0.5 or at least 0.6 or write a simmilar remote rcon listener.

http://blog.jbbr.net/ - My (german) Blog

9

Re: [MOD] real RCON - with gnuTLS security

We have such a system in planning, which will use telnet and as default accept connections from localhost. Then you'll be able to ssh to the server and telnet from there.

No promises on when or exactly how this is done however.

10 (edited by foxx 2008-10-25 20:29:03)

Re: [MOD] real RCON - with gnuTLS security

Maybe it would be nice to have OpenGPG authentificaten as an option. It would be bit easier I think and its supported by gnutls. Currently I'm sitting here and try to get the authentification working. I created a self signed CA key and a public certificate, created a server key and certificate (Tried both, issuing by the self signed CA key and not) and an client key and certificate issued by the CA key.
Every time when connecting with socat it tells me on the client side:

2008/10/25 14:38:49 socat[15422] E SSL_connect(): error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

when using option -s there is second line in stdout:

2008/10/25 14:38:49 socat[15422] E no peer certificate

After this failed authentificaten the server crashes with:

[49031358][rrcon]: Server ready. Listening to port 5556
[4903135a][rrcon]: ***.***.***.***:53538 - arrived in thread
[4903135a][rrcon]: ***.***.***.***:53538 - *** Handshake has failedA TLS fatal alert has been received.
*** glibc detected *** free(): invalid next size (fast): 0x09ec9c58 ***
Abgebrochen

I'm using the debug version of teeworlds 0.4.2 (Yes, 0.4.2 - maybe there is the problem but it does not look so I think, I applied all failed chunks of the patch manually)

Thank you in advance,
foxx

http://blog.jbbr.net/ - My (german) Blog

11

Re: [MOD] real RCON - with gnuTLS security

foxx, I was able to reproduce your issue. It should be fixed in the newest patch at the same location.

FYI, this should've made the trick:

diff -u teeworlds-0.4.3-src/src/engine/server/rrcon.c teeworlds-0.4.3-src/src/engine/server/rrcon.c
--- teeworlds-0.4.3-src/src/engine/server/rrcon.c       2008-10-24 19:02:19.000000000 +0200
+++ teeworlds-0.4.3-src/src/engine/server/rrcon.c       2008-10-25 19:00:01.000000000 +0200
@@ -45,7 +45,7 @@
     if (!strerr)
         strerr = strdup("(no error)");
 
-    errormessage = (char *) malloc(strlen(strerr) + strlen(desc));
+    errormessage = malloc(strlen(strerr) + strlen(desc)+1);
 
     strcpy(errormessage, desc);
     strcat(errormessage, strerr);
Sorry for my bad English, I'm a dumbass from Germany who says "fuck school!!111" and does not give a damn about readability in public forums.

12 (edited by foxx 2008-10-25 20:28:18)

Re: [MOD] real RCON - with gnuTLS security

Thank you, now the crash is gone with socat (with gnutls-cli there was no crash without this change too). But my certificate is still not accepted and I don't know what I'm making wrong. I also tried using the example from from http://www.gnu.org/software/gnutls/manu … dserv.html or the given certificates of the test server as well. Is there any special option which I have to set for any certificate/key?
I made a CA with almost everything allowed:

Version: 3
Serial Number (hex): 00
[...]
Signature Algorithm: RSA-SHA
[...]
Subject Public Key Info:
    Public Key Algorithm: RSA (1024 bits)
[...]
    Key usage: (critical)
        Digital signature.
        Key encipherment.
    Key purpose OIDs: 
        TLS WWW Client.
        TLS WWW Server.
[...]

everytime the same problem.

socat:

2008/10/25 21:58:35 socat[22791] E SSL_connect(): error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2008/10/25 21:58:35 socat[22791] E no peer certificate

gnutls-cli:

Processed 1 CA certificate(s).
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Resolving '********'...
Connecting to '***.***.***.***:5556'...
*** Fatal error: Key usage violation in certificate has been detected.
*** Handshake has failed
GNUTLS ERROR: Key usage violation in certificate has been detected.

It would make thinks easier if you could add some example commands how to create and sign some valid keys and certificates for your listener. I don't think that these commands would make it easier for "noobs" because copy & paste "certtool" or "openssl" commands does not work on a Windows PC without manually installing anything wink

http://blog.jbbr.net/ - My (german) Blog

13

Re: [MOD] real RCON - with gnuTLS security

Give me the socat command you used as well as your teeworlds config and I might be able to help.
(Alternatively, make it possible to contact you via jabber, as you wrote per mail. I tried to add you but did not receive a reply yet.)

Sorry for my bad English, I'm a dumbass from Germany who says "fuck school!!111" and does not give a damn about readability in public forums.

14

Re: [MOD] real RCON - with gnuTLS security

afflux wrote:
khubajsn wrote:

Can you create version for windows?

No, I can't.

WTF is wrong with you ppl... everyone seems like windows haters :@

15 (edited by Landil 2010-05-24 22:30:28)

Re: [MOD] real RCON - with gnuTLS security

Hip-Hop_BLOND wrote:

WTF is wrong with you ppl... everyone seems like windows haters :@

Please explain me the additional benefit of your post. This thread was dead for more than one and a half year. Don't arouse dead threads.

Antoine de Saint Exupéry: It seems that perfection is reached not when there is nothing left to add, but when there is nothing left to take away.
Besides -  I am the gfx guy!