Singularity viewer

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Singularity viewer

Sebastián Castillo Carrión
Does anyone know if it is possible to make Singularity send the user password (in the login process) without any type of encryption to the opensim server?

The reason is that I am implementing ldap authentication opensim_server<->ldap_server, and https connection opensim_server<->client, and I need to send plain password to opensim so ldap authentication functions of the ldap library can be used (they use plain password as one of the arguments).

Thank you.

_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Reply | Threaded
Open this post in threaded view
|

Re: Singularity viewer

Cinder Roxley
No you cannot and that is a very insecure design. The password is hashed
using MD5 and sent. You should configure your LDAP server to use SASL at
very least.


On September 12, 2018 at 11:35:24 AM, Sebastián Castillo Carrión (
[hidden email]) wrote:

Does anyone know if it is possible to make Singularity send the user
password (in the login process) without any type of encryption to the
opensim server?

The reason is that I am implementing ldap authentication
opensim_server<->ldap_server, and https connection opensim_server<->client,
and I need to send plain password to opensim so ldap authentication
functions of the ldap library can be used (they use plain password as one
of the arguments).

Thank you.

_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Reply | Threaded
Open this post in threaded view
|

Re: Singularity viewer

Sebastián Castillo Carrión
Imagine the following python example:

l = ldap.open("127.0.0.1")
username = "cn=Manager, o=anydomain.com"
password  = "secret"
l.simple_bind(username, password)

If the server receives the password hashed, then it can't bind to the ldap server, because the function bind need the password argumento to be not hashed.



On Wed, 12 Sep 2018 10:44:49 -0700
Cinder Roxley <[hidden email]> wrote:

> No you cannot and that is a very insecure design. The password is hashed
> using MD5 and sent. You should configure your LDAP server to use SASL at
> very least.
>
>
> On September 12, 2018 at 11:35:24 AM, Sebastián Castillo Carrión (
> [hidden email]) wrote:
>
> Does anyone know if it is possible to make Singularity send the user
> password (in the login process) without any type of encryption to the
> opensim server?
>
> The reason is that I am implementing ldap authentication
> opensim_server<->ldap_server, and https connection opensim_server<->client,
> and I need to send plain password to opensim so ldap authentication
> functions of the ldap library can be used (they use plain password as one
> of the arguments).
>
> Thank you.
>
> _______________________________________________
> Opensim-dev mailing list
> [hidden email]
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
> _______________________________________________
> Opensim-dev mailing list
> [hidden email]
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev



_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Reply | Threaded
Open this post in threaded view
|

Re: Singularity viewer

Cinder Roxley
Not possible. As I already stated, the viewer sends an md5 sum of the
password, not cleartext. Instead of attempting to make logins less secure,
you should setup ldap securely and use a secure authentication mechanism:
https://www.python-ldap.org/en/latest/reference/ldap-sasl.html


On September 12, 2018 at 1:25:52 PM, Sebastián Castillo Carrión (
[hidden email]) wrote:

Imagine the following python example:

l = ldap.open("127.0.0.1")
username = "cn=Manager, o=anydomain.com"
password = "secret"
l.simple_bind(username, password)

If the server receives the password hashed, then it can't bind to the ldap
server, because the function bind need the password argumento to be not
hashed.



On Wed, 12 Sep 2018 10:44:49 -0700
Cinder Roxley <[hidden email]> wrote:

> No you cannot and that is a very insecure design. The password is hashed
> using MD5 and sent. You should configure your LDAP server to use SASL at
> very least.
>
>
> On September 12, 2018 at 11:35:24 AM, Sebastián Castillo Carrión (
> [hidden email]) wrote:
>
> Does anyone know if it is possible to make Singularity send the user
> password (in the login process) without any type of encryption to the
> opensim server?
>
> The reason is that I am implementing ldap authentication
> opensim_server<->ldap_server, and https connection
opensim_server<->client,

> and I need to send plain password to opensim so ldap authentication
> functions of the ldap library can be used (they use plain password as one
> of the arguments).
>
> Thank you.
>
> _______________________________________________
> Opensim-dev mailing list
> [hidden email]
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
> _______________________________________________
> Opensim-dev mailing list
> [hidden email]
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Reply | Threaded
Open this post in threaded view
|

Re: Singularity viewer

Sebastián Castillo Carrión
Thank you for your answer.

The ldap security is out of my reach, so I can't change it, it is supported by other people who won't change it.

Anyway, thanks for helping.


On Wed, 12 Sep 2018 13:38:10 -0700
Cinder Roxley <[hidden email]> wrote:

> Not possible. As I already stated, the viewer sends an md5 sum of the
> password, not cleartext. Instead of attempting to make logins less secure,
> you should setup ldap securely and use a secure authentication mechanism:
> https://www.python-ldap.org/en/latest/reference/ldap-sasl.html
>
>
> On September 12, 2018 at 1:25:52 PM, Sebastián Castillo Carrión (
> [hidden email]) wrote:
>
> Imagine the following python example:
>
> l = ldap.open("127.0.0.1")
> username = "cn=Manager, o=anydomain.com"
> password = "secret"
> l.simple_bind(username, password)
>
> If the server receives the password hashed, then it can't bind to the ldap
> server, because the function bind need the password argumento to be not
> hashed.
>
>
>
> On Wed, 12 Sep 2018 10:44:49 -0700
> Cinder Roxley <[hidden email]> wrote:
>
> > No you cannot and that is a very insecure design. The password is hashed
> > using MD5 and sent. You should configure your LDAP server to use SASL at
> > very least.
> >
> >
> > On September 12, 2018 at 11:35:24 AM, Sebastián Castillo Carrión (
> > [hidden email]) wrote:
> >
> > Does anyone know if it is possible to make Singularity send the user
> > password (in the login process) without any type of encryption to the
> > opensim server?
> >
> > The reason is that I am implementing ldap authentication
> > opensim_server<->ldap_server, and https connection
> opensim_server<->client,
> > and I need to send plain password to opensim so ldap authentication
> > functions of the ldap library can be used (they use plain password as one
> > of the arguments).
> >
> > Thank you.
> >
> > _______________________________________________
> > Opensim-dev mailing list
> > [hidden email]
> > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
> > _______________________________________________
> > Opensim-dev mailing list
> > [hidden email]
> > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
> _______________________________________________
> Opensim-dev mailing list
> [hidden email]
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev



_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev