[sldev] RFC: design proposal for VWR-1071

Cypren Christenson cypren at gmail.com
Wed Jul 15 01:16:49 PDT 2009

Previous message: [sldev] RFC: design proposal for VWR-1071
Next message: [sldev] RFC: design proposal for VWR-1071
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I forgot to address Mike's comment below in my earlier responses, and  
it's a very important point. On my first brush through last night I  
misread the LLPanelLogin code and assumed that passwords were simply  
crypted using a basic MD5 hash for storage -- not even slightly  
secure, but I guess I've gotten a little jaded when looking at new  
code. Mea culpa.

I've since done a more thorough inspection and found the rather  
important LLStartup::savePasswordToDisk and its companion load  
function and have a better understanding of how passwords are managed.  
Since this seems to store passwords as a binary hash that may include  
unprintable characters, this will require some significant adjustment  
(which is what I assume Mike was hinting at, and I obtusely missed) to  
accommodate the storage of multiple passwords in a single location.  
Alternatively, the current binary hash mechanism could be preserved  
and the result simply base64 encoded for insertion into the settings  
file as a string -- this would have a minimal performance overhead and  
would eliminate the need to alter the existing password.dat binary  
format.

I also took a look at the LLSD class per Celierra's suggestion and it  
should be sufficient for storing the necessary values into the  
settings file -- no tokenization functions required.

One question: can anyone familiar with LLPanelLogin give me a brief  
summary of the USE_VIEWER_AUTH define and why that code remains in the  
viewer? It seems to be a nearly entirely separate set of UI and  
authentication functions but is permanently disabled due to the  
#define at the head of the file, and appears to have been since the  
beginning of the open source trunk. I'm wondering if that code path  
will ever be re-enabled and if I need to develop and test a solution  
which works properly when routed through it, or if it's merely legacy  
code that hasn't been pruned out.

On Jul 14, 2009, at 2:40 PM, Mike Monkowski wrote:

> I think the settings are FirstName and LastName.  I don't see the  
> password in the settings file.

Previous message: [sldev] RFC: design proposal for VWR-1071
Next message: [sldev] RFC: design proposal for VWR-1071
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the SLDev mailing list