I think the 3 ping check is technically invalid. Anyone capable of capturing a packet and sniffing a session/securesession ID out of it, is quite capable of injecting our check packets in too.
Adam From: opensim-dev-boun...@lists.berlios.de [mailto:opensim-dev-boun...@lists.berlios.de] On Behalf Of Diva Canto Sent: Tuesday, 24 February 2009 9:03 PM To: opensim-dev@lists.berlios.de Subject: Re: [Opensim-dev] User Authentication Mike Mazur wrote: Hi, On Tue, 24 Feb 2009 19:54:16 -0800 Diva Canto <d...@metaverseink.com><mailto:d...@metaverseink.com> wrote: * Within a few days: write a simple [optional] UserAuthenticationModule along the lines of option a) that does the following: upon a NewUserConnection, regions will check with the incoming user's User server that the declared user exists and is logged into the system. In a grid a region can be told (via a configuration option) which user server to check. What about HG regions? How does an HG region know which user server to ping? Is this information supplied by the connecting client? If so, what's to prevent a malicious client from supplying a user server that will always reply favorably? The HG region sends that information along when the user moves away from the home UGAIM. The user carries along the collection of URLs of all of the servers it uses. It's ok if the given User Server @ foobar.com always says yes -- that's not the problem. The problem we need to detect is the user claiming to be from Intel.com or OSGrid.org, when, in fact, isn't. Furthermore, upon AddNewClient (which happens shortly after), regions will challenge the incoming client with 3 UDP Ping messages having random seq numbers, to which the incoming client must respond correctly How does the client know the correct response? In fiddling with the client after talking to Teravus, I discovered a pair of response-reply packets that can be initiated from the server. They are StartPingCheck / CompletePingCheck. They take a byte as argument. The server sends StartPingCheck(33), the client responds with CompletePingCheck(33). Handy.
_______________________________________________ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
