[Opensim-dev] User Authentication

Justin Clark-Casey jjustincc at googlemail.com
Wed Feb 25 17:18:01 UTC 2009 

Diva Canto wrote:
>   Mike Mazur wrote:
>> Hi,
>>
>> On Tue, 24 Feb 2009 19:54:16 -0800
>> Diva Canto <diva at metaverseink.com> wrote:
>>
>>   
>>> * Within a few days: write a simple [optional]
>>> UserAuthenticationModule along the lines of option a) that does the
>>> following: upon a NewUserConnection, regions will check with the
>>> incoming user's User server that the declared user exists and is
>>> logged into the system.
>>>     
>>
>> In a grid a region can be told (via a configuration option) which user
>> server to check. What about HG regions? How does an HG region know
>> which user server to ping? Is this information supplied by the
>> connecting client? If so, what's to prevent a malicious client from
>> supplying a user server that will always reply favorably?
>>   
> The HG region sends that information along when the user moves away from 
> the home UGAIM. The user carries along the collection of URLs of all of 
> the servers it uses. It's ok if the given User Server @ foobar.com 
> always says yes -- that's not the problem. The problem we need to detect 
> is the user claiming to be from Intel.com or OSGrid.org, when, in fact, 
> isn't.
> 
>>> Furthermore, upon AddNewClient (which happens
>>> shortly after), regions will challenge the incoming client with 3 UDP
>>> Ping messages having random seq numbers, to which the incoming client
>>> must respond correctly
>>>     
>>
>> How does the client know the correct response?
>>   
> In fiddling with the client after talking to Teravus, I discovered a 
> pair of response-reply packets that can be initiated from the server. 
> They are StartPingCheck / CompletePingCheck. They take a byte as 
> argument. The server sends StartPingCheck(33), the client responds with 
> CompletePingCheck(33). Handy.

Just so I'm clear, your new scheme proposes the following steps?

1)  When a client enters a new region (whether by initial login, teleport or region crossing), the region server will 
ask the user server if the IP given by the client matches that which it has previously stored on the user login?

2)  If these addresses match, then a further validation against spoofing is performed by pinging the client using the 
StartPingCheck.  A client spoofing the address will not be able to reply.

-- 
justincc
Justin Clark-Casey
http://justincc.wordpress.com

More information about the Opensim-dev mailing list