AuthIntegration

From OpenSimulator

Jump to: navigation, search

Contents

Introduction

There are various ways to integrate OpenSimulator with other authentication systems. The first is to create a system that will inject a "web login key" that a suitable client can use for one-time authentication. The second is to call the AllowSetPassword method on the OpenSimulator ROBUST authentication service to directly pass in a plain text string that OpenSimulator will suitable hash and store. The third is to create an OpenSimulator password hash and salt externally and set these either directly in the database or via the ROBUST authentication service.

Web login key

Unfortunately, this section is incomplete. If you can read code, then you'll want to look at the OpenSim.Services.AuthenticationService package in OpenSimulator. This will show you how the web login key is read from the database and used against client input. If you want to use this service then please also ask on opensim-dev, which will provide impetus to flesh out this section further

Set Password Directly

There is an option to allow an external SetPassword request to the OpenSimulator authentication service. This can only be enabled if you're absolutely sure of the security implications (i.e. nobody untrustworthy will be able to call it). Unfortunately, it is only available if on the ROBUST authentication service if you're running a grid. It is not currently available on standalone.

To enable the SetPassword method, set AllowSetPassword = true in the [AuthenticationService] section of Robust.ini.

Then, as long as you know the UUID of the user (which is not so helpful if you want to create a user from scratch), you can use python code like the following to set a password.

#!/usr/bin/python

import httplib
import urllib

params = urllib.urlencode({'METHOD':'setpassword', 'PRINCIPAL' : 'dd5b77f8-bf88-45ac-aace-35bd76426c81', 'PASSWORD':'letmein'})
conn = httplib.HTTPConnection("localhost", 8003);
conn.request("POST", "/auth/plain", params)
response = conn.getresponse()
print response.read();

Creating an OpenSimulator compatible password externally

OpenSimulator passwords are salted and hashed. For historical reasons, more work is done than is really necessary. You can see the OpenSimulator code for this in the AuthenticationServiceBase.SetPassword() method in the OpenSim.Services.AuthenticationService package. The important snippet is reproduced below.

public virtual bool SetPassword(UUID principalID, string password)
{
    string passwordSalt = Util.Md5Hash(UUID.Random().ToString());
    string md5PasswdHash = Util.Md5Hash(Util.Md5Hash(password) + ":" + passwordSalt); 
           
    ...
}

The first line creates a salt by hashing a random UUID. Please note that this produces a salt which is a UUID but one that doesn't contain dashes (-).

The second line hashes the plain text password (e.g. "123456"), appends a colon, and then appends the salt. It then hashes the whole thing again (somebody sure likes their hash) to produce a final password hash.

The salt and hash are then stored in the passwordSalt and passwordHash fields of the auth table in OpenSimulator.

Setting

There are two ways in which one can set an OpenSimulator password from an external system, rather than going through the SetPassword() method.

Direct database write

You can set the salt and hash directly by writing to the passwordSalt and passwordHash fields of the auth table in OpenSimulator.

ROBUST authentication service call

Alternatively, if ROBUST is running and one has direct access to the instance running the Authentication service then you can call the SetAuthInfo method to store these fields. Unfortunately, this mechanism is not currently available for standalone instances.

To enable the SetAuthInfo method, set AllowSetAuthInfo = true in the [AuthenticationService] section of Robust.ini.

Then, again as long as you know the UUID of the user (which is not so helpful if you want to create a user from scratch), you can use python code like the following to set hash and salt directly.

#!/usr/bin/python

import httplib
import urllib

params = urllib.urlencode({'METHOD':'setauthinfo', 'PRINCIPAL' : 'dd5b77f8-bf88-45ac-aace-35bd76426c81', 'PasswordHash':'57956c4bff2e4fc19995613c6256cc98',  'PasswordSalt':'ed9e530476b9c984cc869d2c64d348b2'})
conn = httplib.HTTPConnection("localhost", 8003);
conn.request("POST", "/auth/plain", params)
response = conn.getresponse()
print response.read();
Personal tools
About This Wiki