[Opensim-dev] Security: multiple or the most generic?

Diva Canto diva at metaverseink.com
Tue Apr 14 03:29:16 UTC 2009 

Thanks everyone.
Here's what I have right now, and will commit tomorrow if there are no 
objections.

Regions do session authentication upon NewUserConnections -- this gets 
at that "small" vulnerability related to user spoofing coming from 
launching certain messages at regions. Session authentication is a very 
weak form of user authentication in open grids, but at least it blocks 
the easiest form of the spoofing vulnerability. And it's good for grids 
where all sims are trusted.

For server-side teleports -- which are all we have right now -- session 
authentication is the best that can be done. I could make the regions do 
user key authentication too, but it's really useless, because the 
regions will need to carry along the user's master key so that they 
request new keys as they pass the agent along to other regions -- 
completely defeats the purpose.

In other words, safe user authentication in open grids requires 
client-side teleports -- period.

I have the beginnings of the infrastructure for those already in 
OpenSim, but this, of course, requires Grider or equivalent. The 
infrastructure is exercised in RESTComms, which now can understand an 
"Authentication" header carrying keys that look like this
http://mygrid.org:8002/<uuid token>. This Authentication scheme only 
kicks in when sims are configured in safemode, an obscure config that no 
one should use for now (only ppl wanting to try out Grider).

The thing that is still a bit unclear in my mind is how to configure 
this in a future that mixes server-side teleports with client-side 
teleports, but I hope I'll know better when I get closer to that future.


Stefan Andersson wrote:
> If we're going to do it 'right' from the start, then obviously, (c) as 
> the general case and (b) as the special case should be the way to go.
>  
> (Easy for me to say)
>  
> And on a tangent, I'm closing in on having the AssetServer demanding a 
> connection to a user server to resolve user urls. Thoughts?
>  
> (It baffles me we don't seem to have that already - I'm not working on 
> the AssetInventory server as I feel its ultimate destiny is still 
> somewhat hazy?)
>  
> Best regards,
> Stefan Andersson
> Tribal Media AB
> 
> 
> 
>  
>  > Date: Mon, 13 Apr 2009 11:25:06 -0700
>  > From: diva at metaverseink.com
>  > To: melanie at t-data.com
>  > CC: opensim-dev at lists.berlios.de
>  > Subject: Re: [Opensim-dev] Security: multiple or the most generic?
>  >
>  > Melanie wrote:
>  > > Well, if a key is an arbitrary string, then it may also be a constant
>  > > UUID value, e.g. the standard session id we have now, so (c) really
>  > > includes (b).
>  > They are very different. A key is specific for one client-server pair.
>  > So for each region the client visits there is a unique key that the
>  > other regions might not know about. When TPs are performed on the
>  > server-side, this is equivalent to (b) because the regions are acting on
>  > behalf of the agent. But for client-side Teleports, this makes all the
>  > difference -- the regions don't know about the other regions' keys.
>  >
>  > > [...]
>  > > So, for now, (c) is the way to go, just don't forget the (b) use case.
>  > > Interregion trust should remain possible.
>  > Right. Even though my main focus is the Hypergrid, I'm a little
>  > reluctant in letting go of (b), and even of (a). The problem I'm
>  > debating is how to architect OpenSim so that these different schemes can
>  > co-exist without the code and configuration being a mess.
>  >
>  > _______________________________________________
>  > Opensim-dev mailing list
>  > Opensim-dev at lists.berlios.de
>  > https://lists.berlios.de/mailman/listinfo/opensim-dev

More information about the Opensim-dev mailing list