[Opensim-dev] User Authentication

Diva Canto diva at metaverseink.com
Mon Feb 23 19:47:19 UTC 2009 

Hi,

I'm about to start tightening the ropes for the Hypergrid in order to 
make it safer, and also make safer some loose ends of OpenSim without 
HG, and I would appreciate feedback on this.

The first issue that needs to be addressed is the issue of user 
authentication. The regions need to be able to verify that the agent 
that claims to be representing Charles.Krinke at osgrid.org is, indeed, 
representing Charles.Krinke at osgrid.org. (As you know, right now this 
is... err... a bit overlooked... *coughs*... and not just in the HG... 
*more coughs*).

Having looked at OpenID, I came to the conclusion that it's not enough 
to know that osgrid.org has a user named "Charles Krinke", and we 
certainly don't want Charles to be constantly typing his password 
everytime he moves; the region needs to know that this user is already 
logged in to the system AND the region also needs to know that the agent 
that is representing this user is a legitimate agent.

OK, so the part about being logged in is easy; the user server already 
knows that, to some approximation.

However, the part about the agent being legitimate is a bit more tricky. 
Here's the bad thing that can happen: Charles logs in to OSgrid, and TPs 
to this intriguing region called "Sports Illuminated Swimming Suite 
Edition". That region happens to be up to no good. It grabs Charles 
current notion of identity (all the current identifiers we use), it 
crashes Charles' viewer so that the user server never knows about it, 
and proceeds to impersonate Charles using all those stolen identifiers; 
for example, it can go back to Charles's regions and erase them 
completely pretending to be Charles.

So, what can we do to detect the legitimacy of agents?

Having scratched my head over this, I came to the conclusion that the 
most promising element that can be used to identify agents is the 
Viewer's EndPoint. This is what happens down in the LLUDPServer (I'm 
sure something similar happens in other viewers' packet handlers):

            if (packet != null)
            {
                if (packet.Type == PacketType.UseCircuitCode)
                    AddNewClient((UseCircuitCodePacket)packet, epSender, 
epProxy);                                 
                else
                    ProcessInPacket(packet, epSender);
            }

The EndPoint epSender comes directly from the socket and I'm assuming it 
can't be faked, at least the IP part. Is this correct? This is a 
critical assumption.

So, back to the "Sports Illuminated" scenario: that sim would then try 
to launch an agent at Charles' region. It can fake everything except 
being Charles' viewer machine. When Charles' region does that code 
above, it asks the User server for authentication of an agent with all 
those identifiers and the given EndPoint, and the User server tells back 
that Charles wasn't using that EndPoint to start with, so the 
authentication fails, and an alarm is rang.

Thoughts?

Crista

Disclaimer: I'm not an expert in security, I'm just using my brain in 
context.

More information about the Opensim-dev mailing list