[Opensim-dev] User Authentication
Diva Canto
diva at metaverseink.com
Mon Feb 23 19:47:19 UTC 2009
Hi,
I'm about to start tightening the ropes for the Hypergrid in order to
make it safer, and also make safer some loose ends of OpenSim without
HG, and I would appreciate feedback on this.
The first issue that needs to be addressed is the issue of user
authentication. The regions need to be able to verify that the agent
that claims to be representing Charles.Krinke at osgrid.org is, indeed,
representing Charles.Krinke at osgrid.org. (As you know, right now this
is... err... a bit overlooked... *coughs*... and not just in the HG...
*more coughs*).
Having looked at OpenID, I came to the conclusion that it's not enough
to know that osgrid.org has a user named "Charles Krinke", and we
certainly don't want Charles to be constantly typing his password
everytime he moves; the region needs to know that this user is already
logged in to the system AND the region also needs to know that the agent
that is representing this user is a legitimate agent.
OK, so the part about being logged in is easy; the user server already
knows that, to some approximation.
However, the part about the agent being legitimate is a bit more tricky.
Here's the bad thing that can happen: Charles logs in to OSgrid, and TPs
to this intriguing region called "Sports Illuminated Swimming Suite
Edition". That region happens to be up to no good. It grabs Charles
current notion of identity (all the current identifiers we use), it
crashes Charles' viewer so that the user server never knows about it,
and proceeds to impersonate Charles using all those stolen identifiers;
for example, it can go back to Charles's regions and erase them
completely pretending to be Charles.
So, what can we do to detect the legitimacy of agents?
Having scratched my head over this, I came to the conclusion that the
most promising element that can be used to identify agents is the
Viewer's EndPoint. This is what happens down in the LLUDPServer (I'm
sure something similar happens in other viewers' packet handlers):
if (packet != null)
{
if (packet.Type == PacketType.UseCircuitCode)
AddNewClient((UseCircuitCodePacket)packet, epSender,
epProxy);
else
ProcessInPacket(packet, epSender);
}
The EndPoint epSender comes directly from the socket and I'm assuming it
can't be faked, at least the IP part. Is this correct? This is a
critical assumption.
So, back to the "Sports Illuminated" scenario: that sim would then try
to launch an agent at Charles' region. It can fake everything except
being Charles' viewer machine. When Charles' region does that code
above, it asks the User server for authentication of an agent with all
those identifiers and the given EndPoint, and the User server tells back
that Charles wasn't using that EndPoint to start with, so the
authentication fails, and an alarm is rang.
Thoughts?
Crista
Disclaimer: I'm not an expert in security, I'm just using my brain in
context.
More information about the Opensim-dev
mailing list