Thomas wrote:
> Ian Hess wrote:
>> I find myself wondering if its possible to collect MAC addresses
>> of connecting network cards as well. The mac could still be
>> altered by an end user, but if this blocking method wasn't
>> published, it could be harder for an end user to work around.
> You can not, as you do not have access to it.
> On the IP / Internet layer, a MAC address is like the port number
> of the phone in the phone system: something the higher layers do
> neither care of, nor know. So, the problem is actually getting
> this.
> The only endpoint that has access to the MAC must basically be in
> the same ethernet segment. Anything more remote / connected on a
> higher level has no knowledge of this item.
Correct. I'll even expand on this again, since it keeps coming up
over and over and over...
While, in *theory*, every ethernet device has a unique MAC address,
in practice there are often many duplicates. Almost all pocket
ethernet devices, be they USB, PCMCIA, or integrated wireless
devices, have an option somewhere in their configuration to set the
MAC address in non-volatile RAM. Most routers also offer the option
to expose themselves as a user-settable MAC address so that you can
masquerade as the PC your cable company has on record as the "single
computer" that's using your cable modem.
That, of course, means anyone who wants to defeat MAC challenges can
just change theirs to a random one to avoid detection, or sniff the
local network for existing ones and hijack their identity (with
respect to DHCP and friends anyways).
As Thomas pointed out though, this is all moot from your point of
view, since unless they're sitting next to your server, you won't be
able to get their MAC address anyways.
If you MUST have a unique one-to-one mapping of player to
character/account, the only way you can do that is to use a custom
client that is cryptographically secure, and force the user to
generate and maintain some kind of public key pair. Like SSH, if
your server has a public key, and they upload their public key, you
can both verify each other and only allow the connection if both
sides are whom they claim to be.
That's the choice. Use SSH (or something like it) and require your
users to submit their public keys (and allow your server to accept
connections ONLY from those keys), or keep everything open and
telnet-friendly and accept the fact that you cannot know who is who.