I already said this, but let me make it more clear: I don't think this
Authentication scheme is "the right one." I expect we'll throw it away
once we start having more control over the client side. This is a hack
to start covering up the security hole we have right now in OSGrid, the
Hypergrid, and other OpenSim-based open grids out there. Obviously, this
will be an optional module; walled-gardens don't need this [so much].
Hurliman, John wrote:
-----Original Message-----
From: [email protected] [mailto:opensim-dev-
[email protected]] On Behalf Of Justin Clark-Casey
Sent: Wednesday, February 25, 2009 9:18 AM
To: [email protected]
Subject: Re: [Opensim-dev] User Authentication
Diva Canto wrote:
Mike Mazur wrote:
Hi,
On Tue, 24 Feb 2009 19:54:16 -0800
Diva Canto <[email protected]> wrote:
* Within a few days: write a simple [optional]
UserAuthenticationModule along the lines of option a) that does the
following: upon a NewUserConnection, regions will check with the
incoming user's User server that the declared user exists and is
logged into the system.
In a grid a region can be told (via a configuration option) which
user
server to check. What about HG regions? How does an HG region know
which user server to ping? Is this information supplied by the
connecting client? If so, what's to prevent a malicious client from
supplying a user server that will always reply favorably?
The HG region sends that information along when the user moves away
from
the home UGAIM. The user carries along the collection of URLs of all
of
the servers it uses. It's ok if the given User Server @ foobar.com
always says yes -- that's not the problem. The problem we need to
detect
is the user claiming to be from Intel.com or OSGrid.org, when, in
fact,
isn't.
Furthermore, upon AddNewClient (which happens
shortly after), regions will challenge the incoming client with 3
UDP
Ping messages having random seq numbers, to which the incoming
client
must respond correctly
How does the client know the correct response?
In fiddling with the client after talking to Teravus, I discovered a
pair of response-reply packets that can be initiated from the server.
They are StartPingCheck / CompletePingCheck. They take a byte as
argument. The server sends StartPingCheck(33), the client responds
with
CompletePingCheck(33). Handy.
Just so I'm clear, your new scheme proposes the following steps?
1) When a client enters a new region (whether by initial login,
teleport or region crossing), the region server will
ask the user server if the IP given by the client matches that which it
has previously stored on the user login?
2) If these addresses match, then a further validation against spoofing
is performed by pinging the client using the
StartPingCheck. A client spoofing the address will not be able to
reply.
--
justincc
Justin Clark-Casey
http://justincc.wordpress.com
As long as we accept the tradeoff that some HyperGrid teleport situations will
no longer work. At work here we have an internal grid, where I can access it
using my IP address of 10.xxx.xxx.xxx. I also have a connection to the outside
world, where my IP address is currently 134.xxx.xxx.xxx. At my previous job, we
had a load balancing router that was hooked up to a T1 and two DSL lines. It
was smart enough that it would maintain each of your IP (and usually) UDP
sessions on a single line, but if you went to talk to a new server it would
most likely put that connection on a new line. If IPv6 ever rolls out, this
would prevent and HyperGridding between IPv4 and IPv6 worlds.
I'm not saying +1 or -1 here, just that all of the implications of mixing IP
layer internals into application layer decisions need to be taken into account.
John
_______________________________________________
Opensim-dev mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/opensim-dev
_______________________________________________
Opensim-dev mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/opensim-dev
