Re: ORB authentication

[Miguel de Icaza <miguel gnu org>]

> I was wondering if ORBit does something like sending cookies around (like
> MIT-MAGIC-COOKIEs on X11 server) or similar tricks to avoid people that
> are sitting anywhere one the internet to use your filemanager?

Orbit provides a general mechanism to do authentication.

But it does not provide any default implementation.

The GNOME libgnorba library provides MIT-MAGIC-COOKIES like
authentication, so the filemanager by using the gnorba library
automatically gets this.

> Currently, I was thinking on how aRts (or KDE things with CORBA interface)
> could work network transparent, but still secure. The only thing that came
> to my mind to ensure security would be to patch mico to require such a
> cookie thing (or a better kind of authentication). But if something like
> that is used, it would be good if KDE and Gnome use the same dirty hack
> (since doing things like that breaks IIOP compliance, I guess), so that
> they at least remain interoperable.

it is not a hack.  I have seen miss-informed people say that ORBit's
mechanism is proprietary, but it is not so.  It is using a regular
CORBA mechanism for doing so.

Of course, if you want to communicate with our applications you will
have to authenticate, we can not afford security holes.

Elliot is working on a new system that would drop the
cookies-in-corba-profiles setup entirely and base it exclusively in an
internal orbit-hack.

So the hack will be self contained, and it will work with any other
application without using cookies in profiles.

> The only thing I have found in the ORBit code is that you use (or support?)
> TCP wrapper style security. 

That is a second layer of protection, but not the main one.  

Best wishes,
miguel.