[ADMN/SEC/FIX] MixedModeAuth 2.4 - Secure mixed offline/online mode servers [1337]/[1597]

Discussion in 'Inactive/Unsupported Plugins' started by Thulinma, Sep 10, 2011.

Thread Status:
Not open for further replies.
  1. This project is a fork from AuthPlayer by Arcalyth. He created a plugin that allows you to spoof names server-side for use in a LAN - I upgraded the code with full support for secure online/offline mixed mode servers through a simple PHP script or a modded CraftBukkit build.

    • Supports a mix between premium and non-premium users, or only premium users with support for logins when the main minecraft.net login is down.
    • No logging in needed if minecraft.net servers are up!
    • Secure! Protection against name spoofing!
    • Supports regular whitelisting, permissions and all other access control methods without needing to change the setup.
    • Prevents players kicking each other off (auto-renames "player" to a temporary name on connect)
    • Prevents players that are not logged in from doing anything besides walking around. No doors, no switches, no damage, no items. Really, nothing except walking around.


    Source, bug reports, feature requests, etc here! I also read this topic, of course...

    Downloads Removed - SwearWord

    Changelog:
    Version 2.4:
    - New default config file - will be written if no config file is found (tip: delete your config and reload plugin to reset to defaults / see explanation text).
    - Localization support (all messages to players are now in the config file and can be edited).
    - Kick timer (kicks people out if they do not login within set-able timeout).
    - Possibly fixed Spout support (untested, please test and report back if you are using Spout!).
    - Added option to not block interactions when not logged in.
    - Added option to kick users that are trying to connect using a name that is already in use (reverses normal behaviour of kicking the logged-in user).
    - General performance improvements and small bugfixes.

    Version 2.3:
    - Passwords are now saved encrypted.
    - Server mod updated to report version number correctly (fixes issues with some plugins / server managers)
    - Added support for not-renaming guests

    Version 2.2:
    - Updated to new Configuration API
    - Added check for server mod, will automatically switch to legacy mode if mod is not detected.

    Version 2.1.1:
    - Fixed the error about wrongly installed script being displayed even when legacy mode is not enabled. No other changes - you can safely keep using 2.1.0 instead of this version.

    Version 2.1.0:
    - Switched to BukkitPermissions - should now work with all modern permissions plugins.
    - Re-added support for hosts file editing, no longer requires modded CraftBukkit build.
    - Modded CraftBukkit build still preferred method, though!
    - Now displays more info in the server console.
    - Hopefully fixed permissions problems (player kept permissions of original username, even if auth was done afterwards).

    Version 2.0.1:
    - Major rewrite.
    - No longer requires hosts file editing or PHP script.
    - Now requires modded CraftBukkit build (included in download, source for mod available on my github!)
    - Don't want to or cannot run a modded CraftBukkit build? Use version 1.0.2 - it still works as before, but requires the PHP script and hosts file to be set up (see more information page below).
    - Fixed display issues for 1.8.
    - Fixed names not showing up correctly sometimes.
    - Added config file with insecure mode option (not recommended to use insecure mode for right now - quite experimental still).

    Version 1.0.2:
    - First public release

    How does it work?
    You run the server in online mode. The requests from the server that go to minecraft.net to verify the account are monitored through a small CraftBukkit mod or routed through a PHP script by used of a hosts file edit. Source for the server mod is available in my github, you can compile it yourself if you don't trust my build.
    If the account is minecraft.net verified, the user is automatically identified as themselves (and will be asked to set a password if they do not have one already). If it is not, the user is renamed to "player_[NUMBER]" to prevent people from kicking each other off, and then asked for their name and password to play, after which they will be renamed to their real username.

    For more detailed information, permissions, etc look here!

    Todo list: (mirror of this page)
      • Kick players if no login within X seconds
      • Custom messages
      • .....?
     
    re4397 and CoolOppo like this.
  2. Yes, you are supposed to run it in online mode. The server will allow all players in using this plugin (and require offline players to login, while not needing anything from online players), but not all clients (specifically: the default client) will even attempt to connect to a server that reports being in online mode if the client is not also in online mode.

    The "fix" is to have the players that will use offline mode connect using a modified client. I provide a client mod for 1.8-based clients in my github (I have a 1.9pre5 version too, but I doubt anyone will want it) which removes the online/offline check from the client. This means it will always try to connect to a server, even if the client thinks it will not be allowed in.
    Alternatively, tell your players to use *any* "hacked" client (really, all of them should work) or namechanger tool, and this should get them into the server as well.

    I realize it is a little confusing at first, but unfortunately this is the only way this can ever work because of limitations in the (default) client. If you are interested in what exactly these limitations are: I've explained them at least once or twice earlier in this topic if you read back :)
     
    Ziden likes this.
  3. Offline

    Ziden

    Aww , so i would need a client-mod so offline members would join ?
    My server uses spoutcraft, my intention was to let offline members use spoutcraft :(

    if the server runs in offline mode, you could also 'fake' a handshake to generate the server id to validate a user ?
    would be cooler to have the server in offline mode while original users would be detected, isnt that possible ?

    Else, could you provide the code change on the client in order the plugin to work properly ? So i could think about modding SpoutCraft

    Thanx for your attention !
     
  4. Offline

    astinax

    I you plan on modding spoutcraft could you post a download link of your modded spoucraft, I'm having the same problem :D
     
  5. Offline

    Ziden

    if he tells me what do i need to do, ill try xD
     
  6. The patch is, and always has been, available as a download on my github here. That's the 1.8 version, by the way, but the code hasn't changed much in 1.9 and I assume it's mostly the same for 1.0.0 as well. If you have trouble let me know, I can help, or even do the modding for you. It's only like 5 lines or so, not that much work at all. Heck, maybe they will accept it into spoutcraft as a permanent change - there is no way to abuse this on servers without my plugin, anyway... I haven't talked to the spoutcraft people at all.

    As for your idea to do the fake handshake, yes, this is possible. However: attempting a handshake is the only way to see if a client is in online or offline mode. The vanilla client code instantly disconnects when it receives a handshake request in offline mode. So, unfortunately it is impossible to detect the difference between online/offline mode clients without modding the client.

    It *is* possible to have a command, for example "/premium" that will send the handshake after already connecting to the server, then using the reply to log the player in. But this command will instantly disconnect any offline-mode players that try to us it, and will have to thus be typed manually by online-mode players every single time. I wanted online-mode players to be "in" instantly, so I did not code the plugin to work that way. This is the only other way of doing mixed logins, I'm afraid.
     
  7. Offline

    seang96

    Can you make this plugin work better with http://dev.bukkit.org/server-mods/colors/ and http://dev.bukkit.org/server-mods/jobs/ sometimes the prefixes of their names don't show etc and the jobs prefixes repeat about 30 times per user. Oh and another thing which I think would need fix is not letting offline players pick their username and just entering a password. Most people login and register using <> which goes into their names...

    If you can do this stuff the plugin would be even more enjoyable for my server! Thank you for a great one of a kind plugin.
     
  8. I've been working on a more reliable way to change the names of the players, which should take care of any incompatibility problems other plugins may have. Coming "soon".

    How do you propose not letting the offline players pick a username? After all, they'll usually show up as "Player"... unless they use some kind of mod/tool to change their offline name. Maybe I should make this a configurable option?
     
  9. Offline

    seang96

    That'd be nice. I think the configurable option would be too. Most of my players come from using mineshafter in which it uses real usernames otherwise they have a client which allows them to pick a username. I barely see "player" join. Also most people screw up and include the <> with their username. I believe the way you use to change players name is how the other plugins i use do it too (not sure exactly as I do not know how to program in java). I really do love the plugin above the rest however.
     
  10. I can definately add a check that sees if there is <> around the username, and remove it if it detects that. Should take care of that problem, at least ;-)

    I'll see what I can do about the other stuff...
     
  11. Offline

    Ghoul

    Hi,

    the modded client is not working anymore at 1.0
     
  12. Yes, I will add an updated version as soon as I have time to do so.
     
  13. Offline

    seang96

    Hey Thulinma I just thought of something. After I added your plugin it was the time in which my router reboots whenever i log on my server using lan. I do get a bit of errors with mysql and the generating of all those playernames also. I will check if it fails without your plugin and if it doesnt for two hours tomorrow I will send you a serverlog.
     
  14. Offline

    CosmicVoyager

    Greetings,

    Could you please give instructions on what code to modify in CraftBukkit so we can keep up to date with the latest versions? I need the latest fixes.

    Thanks
     
  15. Certainly. You can find the neccesary patches here:
    https://github.com/Thulinma/CraftBukkit/commits/preloginoverride
    I try to keep that one mostly up-to-date with the latest dev versions, but you can always clone the repo and rebase it onto the craftbukkit main branch if you *really* want the very latest of the latest fixes. It nearly always rebases cleanly.
     
  16. Offline

    seang96

    Is it possible you can slim the plugin down? It seems that my router doesn't like the extra amount of packets being sent and reboots with the plugin enabled. But this also might be due to the fact of 1.0.0 beta bukkit etc. And the other person did say it wasnt working, but didnt specify how. Hope you can look into this. I can send you the portion of my serverlog that had your plugin enabled if you wish. Thank you.
     
  17. The amount of extra packets my plugin sends is negligible - it shouldn't be making any difference, especially on the router level. We're talking only a few bytes or so per player.

    Stupid question perhaps, but are you sure your router isn't malfunctioning? It shouldn't reboot like that, even *if* there is a lot of traffic.
     
  18. Offline

    seang96

    Thats the funny thing with your plugin off and online-mode false it works fine no rebooting etc. I kinda doubt online-mode set to true would be the cause?
     
  19. Really, no software should *ever* be able to crash your router. But in online mode the server does make some HTTP requests that it doesn't make in offline mode - perhaps these have something to do with your problem?
     
  20. Offline

    FunCraft

    you said a verified minecraft.net account and i have a question if the word "verified" means premium or the normal account also(this will be good for my server because i use Mineshafter and that requires the user to have a minecraft.net account premium or not)
     
  21. Offline

    seang96

    hmm could it be the problem?
     
  22. Offline

    SwearWord

    This violates several terms of service rules, if you wish to continue, find a place that's not bukkit.org to do this.

    Thread locked and downloads removed.
     
Thread Status:
Not open for further replies.

Share This Page