AuthIntegration - Revision history

Manni at 12:26, 4 December 2023

2023-12-04T12:26:51Z

MakoBot: Robot: Replacing 'OpenSim' to 'OpenSimulator', which is the precise name

2012-03-04T06:14:02Z

Robot: Replacing 'OpenSim' to 'OpenSimulator', which is the precise name

MakoBot: Robot: Cosmetic changes

2012-03-04T01:59:45Z

Robot: Cosmetic changes

Justincc: Created page with "==Introduction== There are various ways to integrate OpenSimulator with other authentication systems. The first is to create a system that will inject a "web login key" that a ..."

2011-12-19T23:46:24Z

Created page with "==Introduction== There are various ways to integrate OpenSimulator with other authentication systems. The first is to create a system that will inject a "web login key" that a ..."

New page

==Introduction==

There are various ways to integrate OpenSimulator with other authentication systems. The first is to create a system that will inject a "web login key" that a suitable client can use for one-time authentication. The second is to call the AllowSetPassword method on the OpenSimulator ROBUST authentication service to directly pass in a plain text string that OpenSim will suitable hash and store. The third is to create an OpenSimulator password hash and salt externally and set these either directly in the database or via the ROBUST authentication service.

== Web login key ==

Unfortunately, this section is incomplete. If you can read code, then you'll want to look at the OpenSim.Services.AuthenticationService package in OpenSimulator. This will show you how the web login key is read from the database and used against client input. If you want to use this service then please also ask on opensim-dev, which will provide impetus to flesh out this section further

== Set Password Directly ==

There is an option to allow an external SetPassword request to the OpenSimulator authentication service. This can only be enabled if you're absolutely sure of the security implications (i.e. nobody untrustworthy will be able to call it). Unfortunately, it is only available if on the ROBUST authentication service if you're running a grid. It is not currently available on standalone.

To enable the SetPassword method, set AllowSetPassword = true in the [AuthenticationService] section of Robust.ini.

Then, as long as you know the UUID of the user (which is not so helpful if you want to create a user from scratch), you can use python code like the following to set a password.

#!/usr/bin/python

import httplib
import urllib

params = urllib.urlencode({'METHOD':'setpassword', 'PRINCIPAL' : 'dd5b77f8-bf88-45ac-aace-35bd76426c81', 'PASSWORD':'letmein'})
conn = httplib.HTTPConnection("localhost", 8003);
conn.request("POST", "/auth/plain", params)
response = conn.getresponse()
print response.read();

== Creating an OpenSimulator compatible password externally ==

OpenSimulator passwords are salted and hashed. For historical reasons, more work is done than is really necessary. You can see the OpenSimulator code for this in the AuthenticationServiceBase.SetPassword() method in the OpenSim.Services.AuthenticationService package. The important snippet is reproduced below.

public virtual bool SetPassword(UUID principalID, string password)
{
string passwordSalt = Util.Md5Hash(UUID.Random().ToString());
string md5PasswdHash = Util.Md5Hash(Util.Md5Hash(password) + ":" + passwordSalt);

...
}

The first line creates a salt by hashing a random UUID. Please note that this produces a salt which is a UUID but one that doesn't contain dashes (-).

The second line hashes the plain text password (e.g. "123456"), appends a colon, and then appends the salt. It then hashes the whole thing again (somebody sure likes their hash) to produce a final password hash.

The salt and hash are then stored in the passwordSalt and passwordHash fields of the auth table in OpenSimulator.

=== Setting ===

There are two ways in which one can set an OpenSimulator password from an external system, rather than going through the SetPassword() method.

==== Direct database write ====

You can set the salt and hash directly by writing to the passwordSalt and passwordHash fields of the auth table in OpenSimulator.

==== ROBUST authentication service call ====

Alternatively, if ROBUST is running and one has direct access to the instance running the Authentication service then you can call the SetAuthInfo method to store these fields. Unfortunately, this mechanism is not currently available for standalone instances.

To enable the SetAuthInfo method, set AllowSetAuthInfo = true in the [AuthenticationService] section of Robust.ini.

Then, again as long as you know the UUID of the user (which is not so helpful if you want to create a user from scratch), you can use python code like the following to set hash and salt directly.

#!/usr/bin/python

import httplib
import urllib

params = urllib.urlencode({'METHOD':'setauthinfo', 'PRINCIPAL' : 'dd5b77f8-bf88-45ac-aace-35bd76426c81', 'PasswordHash':'57956c4bff2e4fc19995613c6256cc98', 'PasswordSalt':'ed9e530476b9c984cc869d2c64d348b2'})
conn = httplib.HTTPConnection("localhost", 8003);
conn.request("POST", "/auth/plain", params)
response = conn.getresponse()
print response.read();

← Older revision		Revision as of 12:26, 4 December 2023
Line 1:		Line 1:
		+	{{Quicklinks\|AuthIntegration}}
		+
	==Introduction==		==Introduction==

@@ Line 1: / Line 1: @@
 ==Introduction==
-There are various ways to integrate OpenSimulator with other authentication systems. The first is to create a system that will inject a "web login key" that a suitable client can use for one-time authentication. The second is to call the AllowSetPassword method on the OpenSimulator ROBUST authentication service to directly pass in a plain text string that OpenSim will suitable hash and store. The third is to create an OpenSimulator password hash and salt externally and set these either directly in the database or via the ROBUST authentication service.
+There are various ways to integrate OpenSimulator with other authentication systems. The first is to create a system that will inject a "web login key" that a suitable client can use for one-time authentication. The second is to call the AllowSetPassword method on the OpenSimulator ROBUST authentication service to directly pass in a plain text string that OpenSimulator will suitable hash and store. The third is to create an OpenSimulator password hash and salt externally and set these either directly in the database or via the ROBUST authentication service.
 == Web login key ==

@@ Line 1: / Line 1: @@
 ==Introduction==
-There are various ways to integrate OpenSimulator with other authentication systems.  The first is to create a system that will inject a "web login key" that a suitable client can use for one-time authentication.  The second is to call the AllowSetPassword method on the OpenSimulator ROBUST authentication service to directly pass in a plain text string that OpenSim will suitable hash and store.  The third is to create an OpenSimulator password hash and salt externally and set these either directly in the database or via the ROBUST authentication service.
+There are various ways to integrate OpenSimulator with other authentication systems. The first is to create a system that will inject a "web login key" that a suitable client can use for one-time authentication. The second is to call the AllowSetPassword method on the OpenSimulator ROBUST authentication service to directly pass in a plain text string that OpenSim will suitable hash and store. The third is to create an OpenSimulator password hash and salt externally and set these either directly in the database or via the ROBUST authentication service.
 == Web login key ==
-Unfortunately, this section is incomplete.  If you can read code, then you'll want to look at the OpenSim.Services.AuthenticationService package in OpenSimulator.  This will show you how the web login key is read from the database and used against client input.  If you want to use this service then please also ask on opensim-dev, which will provide impetus to flesh out this section further
+Unfortunately, this section is incomplete. If you can read code, then you'll want to look at the OpenSim.Services.AuthenticationService package in OpenSimulator. This will show you how the web login key is read from the database and used against client input. If you want to use this service then please also ask on opensim-dev, which will provide impetus to flesh out this section further
 == Set Password Directly ==
-There is an option to allow an external SetPassword request to the OpenSimulator authentication service.  This can only be enabled if you're absolutely sure of the security implications (i.e. nobody untrustworthy will be able to call it).  Unfortunately, it is only available if on the ROBUST authentication service if you're running a grid.  It is not currently available on standalone.
+There is an option to allow an external SetPassword request to the OpenSimulator authentication service. This can only be enabled if you're absolutely sure of the security implications (i.e. nobody untrustworthy will be able to call it). Unfortunately, it is only available if on the ROBUST authentication service if you're running a grid. It is not currently available on standalone.
 To enable the SetPassword method, set AllowSetPassword = true in the [AuthenticationService] section of Robust.ini.
@@ Line 28: / Line 28: @@
 == Creating an OpenSimulator compatible password externally ==
-OpenSimulator passwords are salted and hashed.  For historical reasons, more work is done than is really necessary.  You can see the OpenSimulator code for this in the AuthenticationServiceBase.SetPassword() method in the OpenSim.Services.AuthenticationService package.  The important snippet is reproduced below.
+OpenSimulator passwords are salted and hashed. For historical reasons, more work is done than is really necessary. You can see the OpenSimulator code for this in the AuthenticationServiceBase.SetPassword() method in the OpenSim.Services.AuthenticationService package. The important snippet is reproduced below.
   public virtual bool SetPassword(UUID principalID, string password)
@@ Line 38: / Line 38: @@
+  }
-The first line creates a salt by hashing a random UUID.  Please note that this produces a salt which is a UUID but one that doesn't contain dashes (-).
+The first line creates a salt by hashing a random UUID. Please note that this produces a salt which is a UUID but one that doesn't contain dashes (-).
-The second line hashes the plain text password (e.g. "123456"), appends a colon, and then appends the salt.  It then hashes the whole thing again (somebody sure likes their hash) to produce a final password hash.
+The second line hashes the plain text password (e.g. "123456"), appends a colon, and then appends the salt. It then hashes the whole thing again (somebody sure likes their hash) to produce a final password hash.
 The salt and hash are then stored in the passwordSalt and passwordHash fields of the auth table in OpenSimulator.
@@ Line 54: / Line 54: @@
 ==== ROBUST authentication service call ====
-Alternatively, if ROBUST is running and one has direct access to the instance running the Authentication service then you can call the SetAuthInfo method to store these fields.  Unfortunately, this mechanism is not currently available for standalone instances.
+Alternatively, if ROBUST is running and one has direct access to the instance running the Authentication service then you can call the SetAuthInfo method to store these fields. Unfortunately, this mechanism is not currently available for standalone instances.
 To enable the SetAuthInfo method, set AllowSetAuthInfo = true in the [AuthenticationService] section of Robust.ini.