The Major BBS Forums

I've got a web-based terminal emulator working over a secure WebSocket connection (https://www.neatobbs.com). I'm using a WS to Telnet proxy and Xterm as the terminal emulator. This method eliminates the telnet over a public internet connection to the BBS, and all traffic is over the secure WebSocket connection to the client. ( I have telnet blocked at the firewall except between the proxy and the BBS)

My next project is to implement an SSO authentication system that will proxy a front-end account, on a modern authentication platform, to their BBS username/alias and randomized password. I'll update my current javascript to script the BBS login for the user to make it seamless for them. Ideally, they won't even be aware this is happening.

Question though, is it possible to prevent all possible ways that a user could change their password on the BBS? I think I've managed to do it, but it's been 16 years since I ran my board. It's funny how fast it is coming back, though. I guess when you do something every day for 17 years, you never really forget it.

The other question is, am I wasting my time here, has someone else already solved this problem? I want to make the board as secure as possible given the current limitations. Appreciate any help or suggestions!

Thanks,
Pete

If you restrict access to Account Display/Edit, and also restrict access to a password changing command if you're running a Globals package of any type, you should have covered all the ways a user can change their own password.

pete wrote:
> I've got a web-based terminal emulator working over a secure WebSocket
> connection (https://www.neatobbs.com). I'm using a WS to Telnet proxy and
> Xterm as the terminal emulator. This method eliminates the telnet over a
> public internet connection to the BBS, and all traffic is over the secure
> WebSocket connection to the client. ( I have telnet blocked at the firewall
> except between the proxy and the BBS)
>
> My next project is to implement an SSO authentication system that will
> proxy a front-end account, on a modern authentication platform, to their
> BBS username/alias and randomized password. I'll update my current
> javascript to script the BBS login for the user to make it seamless for
> them. Ideally, they won't even be aware this is happening.
>
> Question though, is it possible to prevent all possible ways that a user
> could change their password on the BBS? I think I've managed to do it, but
> it's been 16 years since I ran my board. It's funny how fast it is coming
> back, though. I guess when you do something every day for 17 years, you
> never really forget it.
>
> The other question is, am I wasting my time here, has someone else already
> solved this problem? I want to make the board as secure as possible given
> the current limitations. Appreciate any help or suggestions!
>
> Thanks,
> Pete

i implemented years a go a secondary password where it texted/emailed you a 6 digit code you entered it then the bbs
logged you on but removed it. on a side note, when they enter a password, how would they "recover" it to change it?
email automated process?

I plan to use something like Google authentication https://developers.google.com/identity/gsi/web/guides/overview

The password management system between the web front-end and the BBS would be entirely invisible to the end user. Think of it like the web front-end is interacting with the BBS through a telnet-based API, and the BBS password is a token that gets changed periodically. That would allow me to incorporate web-based Apps and MajorBBS apps for now, until the web system for v10 gets released with an SDK and integrated API.

Pete

The bots are getting weird.

Pete