[Opensim-dev] [Opensim-users] Grid <-> Authentication Service

Dalien Talbot dalienta at gmail.com
Fri Feb 15 17:21:05 UTC 2008 

IMHO tackling the password authentication might be quite simple:

1) have a separate web service into which you login, and which returns you a
4-digit number, valid for, say, 15 minutes.
2) have a web service to answer the requests from the sims who will supply
the hash from the client
3) have the simulator forward the hash from the client to this service upon
the user login - and get the pass/fail result from this server.

On a first look, this will be reasonably secure, easy to use, simple to
code, and harder to crack than the web-single-sign-on proposal that I heard
in the discussions some time ago.

the last name could be the domain name, and the exact method of the
authentication/URL/whatnot could be stored in a TXT record for that domain.

Users with the higher level of paranoia might have an option on the backend
of selecting a longer one-time-password for the simulator login.

What do you think of such an approach ?

/d

On Fri, Feb 15, 2008 at 5:15 PM, Diva Canto <diva at metaverseink.com> wrote:

> dr scofield wrote:
> > that makes it rather easy for any of your UCI users to log in as any
> > other UCI user. if that's what you want, fine. were i a UCI user, i'd
> > not like that...
> >
> > if you were planning on using the password field as well, that is
> > going to require some additional code at the UCI authentication
> > service side as the password is not being send in the clear by as a
> > salted MD5 hash, so you'd have to generate those for all your UCI users.
> >
> >    cheers,
> >    dirk
> >
> >
> We will use passwords, of course, that's how authentications get done
> these days. We'll have to figure out how to handle the MD5 hash if the
> campus authentication service doesn't do it. Of course, better would be
> if the credentials were entered at the site of the authentication
> service, which is how this usually works on the web: you want to login
> to your grades -> you're first redirected to the authentication service
> -> you come back to the grades system.
>
> In any case, what I really want is to let everyone in, UCI and non-UCI,
> and properly ACL things -- just like what happens on the web. OpenSim
> still doesn't have permissions, so that probably won't be done now. But
> when it has permissions, that's what we will want. This whole idea of
> having un-interoperable domains of users, each grid with its own domain,
> is not going to scale to the kinds of things universities want to do
> with virtual worlds; it's a major step *back* from what we got
> accustomed with the Web. We want interoperable ID domains, interoperable
> inventory (storage) domains, gridless and intergrid sim-to-sim TPs,
> external exposure of data for search engines, and all kinds of good old
> web openness, properly ACLed -- that's very clear.
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20080215/f7764fe2/attachment-0001.html>

More information about the Opensim-dev mailing list